A little understanding of Serv-u 6.0.0.2 default account and password-vulnerability research

Get a Webshell today. The Serv-u directory was found. Look at the Servudaemon.ini.
[GLOBAL]
version=6.0.0.2
Openfilesdownloadmode=exclusive
packettimeout=300
Localsetuppassword=ah6a0ed50add0a516da36992db43f3aa39

6.0.0.2 version of. Once saw which said the 6.0 version of the default local management account and password is still the original one. But it seems that the 6 version of the password has been changed.

Well, here it is. One more line of Localsetuppassword. Is it possible that the original default password has been set by it? Add the MD5, calculate the pure number is still OK. Chances are slim.

Try to write ... Insufficient display of permissions (everything is expected). OK try the default account and password.

Uploaded the Xiaolu's serv-u privilege promotion tool.

Netstat-an |find "43958"
TCP 127.0.0.1:43958 0.0.0.0:0 Listening

Well, that's the mouth.

Execute command

D:\web\www\XXXX_com\serv-u.exe 43958 "NET user Xiaoqi Amen. /add "
******************************************************
Serv-u <3.x local exploit by Xiaolu
>221 serv-u FTP Server v6.0 for WinSock ready ...
>331 User name Okay, need password.
******************************************************
#l @ $ak #.lk;0@p
>530 not logged in.
******************************************************

See 530, the heart cool a bit, so that the default password was changed.
The group wants to get confirmation. Superhei gave a very good idea. Download the main program to view the password with Uedit.
It is also the same method to modify the default password before Serv-u version 6.0, and the password length requires 14 bits (replacing #l@ $ak #.lk;0@p) with other characters.
Open ServUAdmin.exe Check, found that the password is still #l@ $ak #.lk;0@p (specially copied to Notepad observation, to prevent 0/o L/1 and other characters confused). It does not change.
So, it seems that Serv-u has not relied on it to verify?
To find out the truth. Download a serv-u 6.0.0.2 version (not installed in Chinese, not cracked, to prevent the lower version of the Chinese and cracked patches)


Before thinking, why Serv-u can not provide an administrator to change the password of the place? How many servers over the responsibility on the Serv-u ah?
OK, this time, just opened serv-u admin, found in the "Stop Service" under a more "Set Change Password" button.
Look at the Servudaemon.ini, in addition to the version changed, and the original is not different.
Back to the console click "Set Change Password" required to enter the old password, new password, confirm. Old Password? What's the old password? #l @ $ak #.lk;0@p?
Prompt password is incorrect. It's weird. Try the next blank password ... That's right.. It's depressing to me. is Localadministrator's password in Serv-u 6.0.0.2 is empty???
The Xiaolu permission to upgrade tools to change, the password to empty. Compiled and sent back up.

Execute command

D:\web\www\XXXX_com\serv-u2.exe 43958 "NET user Xiaoqi Amen. /add "
******************************************************
Serv-u <3.x local exploit by Xiaolu
>221 serv-u FTP Server v6.0 for WinSock ready ...
>331 User name Okay, need password.
******************************************************
>530 not logged in.
******************************************************

is still 530. Uh ... It's a dream. But this failure does not mean that the default password is not empty (because there is a localsetuppassword= in the configuration file for this machine)
Ok. Back, looked at my machine on the Servudaemon.ini, and sure enough a line of localsetuppassword=xxxxxxx, it seems really is just the MD5 of the configuration password. Change the serv-u password on my machine to empty (and allow me to empty) Try it again with this serv-u2.exe. 530, the brain suddenly flashed, is "empty" is #l@ $ak #.lk;0@p
serv-u.exe,yeah! success.
Here we start to suspect a problem, if the password is changed, then need to do two verification? One is #l@ $ak #.lk;0@p is a modified password.
Oh.. Excitedly with Superhei said a sentence "two times verification", modified the next permission to upgrade tool, the password to change it to my serv-u set in the password, connected. It is proved that no two validations have been performed.
To sum up, in the Serv-u 6.0.0.2 version, the initial password is still #l@ $ak #.lk;0@p but can easily modify the password in Serv-u Admin console, modify the password, The configuration is saved in the Servudaemon.ini localsetuppassword=.
The original #l@ $ak #.lk;0@p still saved only when the password is empty.

Another: To modify the local administration port. You only need to add a line of localsetupportno= port numbers to [global] in Servudaemon.ini to