实现：探测可提权目录脚本

示例代码如下

/*
逻辑顺序：
1、循环遍历数组中的内容
2、对每个数组中的内容先进行是否存在的操作
3、存在的话那么久进行CreateFile函数操作，如果能写入则代表当前用户在该目录具有写入的权限
*/
#include<Windows.h>
#include<stdio.h>


DWORD ToCreateFile(const char * FilePath) {
	HANDLE hFile; //用来接收CreateFile返回来的句柄，用这个句柄来进行写入的操作
	DWORD  dwWritten;
	char szFullPath[MAX_PATH];
	int len = strlen(FilePath);
	if (FilePath[len - 1] == '\') {
		wsprintf(szFullPath, "%s\%s", FilePath, "AbleWrite.txt"); //拼接字符串，成为一个完整的路径
		hFile = CreateFile(szFullPath,
			GENERIC_WRITE,
			0,
			NULL,
			CREATE_ALWAYS,
			FILE_ATTRIBUTE_NORMAL,
			NULL);//创建文件AbleWrite.txt
		

		if (hFile != INVALID_HANDLE_VALUE)
		{
			if (!WriteFile(hFile, NULL, NULL, &dwWritten, NULL))//将系统目录，系统信息写入文件中
			{
				return GetLastError(); //如果写入失败 返回错误信息
			}

			//打印当前能写入文件的路径
			printf("可写入路径有：%s 
", FilePath);
		}
		CloseHandle(hFile);//关闭文件句柄

		//如果能写入的话 然后进行删除文件的操作
		DeleteFile(szFullPath);  //接收类型的数据为LPCSTR
	}
	else {
		//首先判断当前路径是否存在
		WIN32_FIND_DATA FindFileData;
		HANDLE hListFile;
		hListFile = FindFirstFile(FilePath, &FindFileData);
		if (hListFile == INVALID_HANDLE_VALUE) {
			return 1;
		}
		else {
			printf("当前路径文件能进行提权操作：%s 
", FilePath);
		}
	}

	return 0;
}

int main(){
	const char *FileDictory[] = {
		"C:\RECYCLER\",
		"c:\programdata\",
		"C:\windows\temp\",
		"e:\recycler\",
		"f:\recycler\",
		"C:\php\PEAR\",
		"C:\WINDOWS\7i24.com\FreeHost\",
		"C:\php\dev\",
		"C:\System Volume Information\",
		"C:\7i24.com\serverdoctor\log\",
		"c:\windows\hchiblis.ibl",
		"C:\7i24.com\iissafe\log\",
		"C:\7i24.com\LinkGate\log\",
		"C:\Program Files\Thunder Network\Thunder7\",
		"C:\Program Files\Thunder Network\Thunder\",
		"C:\Program Files\Symantec AntiVirus\SAVRT\",
		"C:\windows\DriverPacks\C\AM2\",
		"C:\Program Files\FlashFXP\",
		"C:\Program Files\Microsoft SQL Server\90\Shared\ErrorDumps\",
		"C:\Program Files\Zend\ZendOptimizer-3.3.0\",
		"C:\Program Files\Common Files\",
		"C:\Documents and Settings\All Users\Application Data\Hagel Technologies\DU Meter\log.csv",
		"C:\Program Files\360\360Safe\deepscan\Section\mutex.db",
		"C:\Program Files\Helicon\ISAPI_Rewrite3\error.log",
		"C:\Program Files\Helicon\ISAPI_Rewrite3\Rewrite.log",
		"C:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf",
		"C:\Program Files\Common Files\Symantec Shared\Persist.bak",
		"C:\Program Files\Common Files\Symantec Shared\Validate.dat",
		"C:\Program Files\Common Files\Symantec Shared\Validate.dat",
		"C:\Program Files\Zend\ZendOptimizer-3.3.0\docs\",
		"C:\Documents and Settings\All Users\DRM\",
		"C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\",
		"C:\Documents and Settings\All Users\Application Data\360safe\softmgr\",
		"C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x\ZendOptimizer.dll",
		"C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\",
	};

	int len = sizeof(FileDictory) / sizeof(FileDictory[0]);
	printf("#author:zpchcbd
");
	printf("#result:寻找常见的可读写目录
");
	for (int i = 0; i < len; i++) {
		ToCreateFile(FileDictory[i]);
	}
	system("pause");
	return 0;
}