Serv-U 7 Local Elevation Tool

Note: because the author is lazy and does not provide the log clearing function, logs will be left:

I. How many methods does su7 escalate privilege?
There are two ways to kill su7.
1> log on to the Administrator console page
==> Get organizationid, used to add users
==> Obtain the "next new user ID" of the global user"
==> Add a user
==> Add user permissions or global User Permissions
==> User Login
==> Execute system commands to add a system account.
2> log on to the Administrator console.
==> Basic Web Client
==> Go to the Serv-U directory -- users -- global user directory
==> Upload a user file that you have defined
==> User Login
==> Execute system commands to add a system account
This file uses the first method.

Ii. How does the Elevation of Privilege work?
The su7 management platform is HTTP and advanced.
Packet capture, analysis, found that the following path is available.
1. The Administrator does not need to verify the password when opening the web page from the console.
2. If the administrator needs to enter a password when opening the web page with a URL, the administrator can access the page regardless of the entered password. "/? Session = 39893 & language = ZH, CN & localadmin = 1"
3. The administrator can add two types of users: global users and users in a certain domain. Permission settings are both global and user-specific.
4. The Administrator adds the user's package and sets the permission for this package.
Therefore, I can capture packets and convert them to PHP socket connection post.
Finally, use the classic FTP to log on and execute the EXEC command. Permission escalation is achieved.
During the PHP writing process, many problems are encountered, such as the function will not be used and so on (-_-! I have never learned PHP before.) thanks to "yunshu niu" For your help...
In the packet analysis process, some features are found, and the data returned by the server is all sent in XML format. In the process of data transmission, the design is classic.
Su7 also has its own database, and he will also generate an ID.
This ID is random. When you create a user, you will first request the server to generate one, and then modify the user name and password of this ID.
This is similar to Oracle's insert method.

During the process of writing a tool, I encountered a lot of trouble. The biggest trouble was the ID problem, which was analyzed later.
You can also use this ID when adding permissions.
As a result, the tool connects to the server six times, which are:
1. Used to log on to the platform. Use the address on the page that can be logged on with any password. Returns a sessionid, which will be used in future packages.
2. Obtain the organizationid for adding users.
3, used to request a user ID.
4. Modify the login user name and password for this ID.
5. Modify the permission of the ID and add the write and delete operations of drive C.
6. This connection is a bad thing. Use the User Added earlier to execute system commands.

3. Why can't I mention it when it is clearly displayed as successful?
This depends on the errorCodeNow, I am very embarrassed here, and I have not written a detailed error code to judge it.
There are generally the following situations:
1. It may be because the administrator password is incorrect.
Refer to the administrator password connection.
2, probably because the Administrator restricts the execution of site exec.
PendingProgramModify, the program can add a function that makes him unlimited.
3. It may be a program problem.
<B> 4. Why don't I change it for so many reasons? </B>
Didn't you find out? Once things are done perfectly, a more systematic defense solution will come out.
If it is not perfect, let him think that we are doing this, and so will the defense system.
If you don't believe it, after a while, the Defense solution has come out, and there must be one: "modifying site exec is not accessible ".
At that time, I will write another function and change it back.
Therefore, when everyone advocates XXXX, I will solve the problem again. Let's get started with this :)

4. About the Administrator Password

The default value is null. If the password is empty, you can enter anything you enter.
If the administrator password is changed, the administrator password will be displayed here by default:
C: \ Program Files \ rhinosoft.com \ Serv-U \ Users \ local administrator domain \. Archive
File.
C: \ Program Files \ rhinosoft.com \ Serv-U
Is the root directory of Su.
The password value is in the format (assuming 123456)
Kx #######################
# Indicates 32-bit MD5 encryption of 123456, while kx indicates the MD5 password of Su.AlgorithmImproved random 2-character.
The cracked password is kx123456, and kx is the password.
You can generate a dictionary for this encryption.

. Abu. Comment:
Serv-U7 Local Elevation of Privilege tool, requiring Windows platform to install Serv-U 7, also support PHP. This is an authorization tool for PHP. It is estimated that the ASP version will be available soon.