在平时的渗透过程中我们经常会使用net来添加用户,但也会经常遇到net无法使用的情况,这里就教大家使用winAPI来添加用户,虽然也是一个比较老的技巧了。
代码原理:
使用NetUserAdd添加普通权限的用户,NetLocalGroupAddMembers添加管理员权限。
API原型:
NET_API_STATUS NET_API_FUNCTION
NetUserAdd (
IN LPCWSTR servername OPTIONAL,
IN DWORD level,
IN LPBYTE buf,
OUT LPDWORD parm_err OPTIONAL
);
NET_API_STATUS NET_API_FUNCTION
NetLocalGroupAddMembers (
IN LPCWSTR servername OPTIONAL,
IN LPCWSTR groupname,
IN DWORD level,
IN LPBYTE buf,
IN DWORD totalentries
);
微软官方给出的demo如下,大家可自行修改:
#ifndef UNICODE
#define UNICODE
#endif
#pragma comment(lib, "netapi32.lib")
#include <stdio.h>
#include <windows.h>
#include <lm.h>
int wmain(int argc, wchar_t *argv[])
{
USER_INFO_1 ui;
DWORD dwLevel = 1;
DWORD dwError = 0;
NET_API_STATUS nStatus;
if (argc != 3)
{
fwprintf(stderr, L"Usage: %s \\\\ServerName UserName\n", argv[0]);
exit(1);
}
//
// Set up the USER_INFO_1 structure.
// USER_PRIV_USER: name identifies a user,
// rather than an administrator or a guest.
// UF_SCRIPT: required
//
ui.usri1_name = argv[2];
ui.usri1_password = argv[2];
ui.usri1_priv = USER_PRIV_USER;
ui.usri1_home_dir = NULL;
ui.usri1_comment = NULL;
ui.usri1_flags = UF_SCRIPT;
ui.usri1_script_path = NULL;
//
// Call the NetUserAdd function, specifying level 1.
//
nStatus = NetUserAdd(argv[1],
dwLevel,
(LPBYTE)&ui,
&dwError);
//
// If the call succeeds, inform the user.
//
if (nStatus == NERR_Success)
fwprintf(stderr, L"User %s has been successfully added on %s\n",
argv[2], argv[1]);
//
// Otherwise, print the system error.
//
else
fprintf(stderr, "A system error has occurred: %d\n", nStatus);
return 0;
}
我将其稍微改动了一下,将其变为了成功后自动添加一个
帐号:test$
密码:Test@#123的帐号。
注意:需要administrator权限
项目地址:https://github.com/lengjibo/NetUser