第一种:runas
runas /user:a calc.exe
接着输入密码:a用户的密码
calc.exe的权限为用户a的权限
缺点:正常在webshell下进行,一般都是半交互式为主,该程序需要交互式才可以进行
解决办法:自带的vbs脚本
set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.run "runas /user:domainuser command" 'Open command prompt
WScript.Sleep 1000
WshShell.SendKeys "password" 'send password
WshShell.SendKeys "{ENTER}"
WScript.Sleep 1000
解决办法:第三方工具sanur
runas /user:domainuser notepad.exe | sanur password
第二种:lsrunas
lsrunas /user:administrator /password:123456 /domain: /command:notepad.exe /runpath:c:
**第三种:cpau **
cpau -u administrator -p password -ex notepad