常用命令行操作

Windows

0x00 文件目录操作

1.查找文件

cmd:

for /r 目录名 %变量名 in (匹配模式1,匹配模式2) do 命令
for /r d: %i in (*) do @echo %i
for /r d: %i in (*.txt,*.jpg) do @echo %i
for /r d: %i in (*shell.jsp) do @echo %i

2.查看文件内容

cmd:

type "D:\www\shell.jsp"

powershell:

Get-Content "D:\www\shell.jsp"

3.删除文件

cmd:

#删文件
del index.js
#删文件夹
rd app

powershell:

remove-item w.ps1 -Force -Recurse

4.查看目录

cmd:

#下载目录
dir C:\Users\%username%\Downloads
#桌面
dir C:\Users\%username%\Desktop
#微信
dir C:\Users\%username%\Documents\WeChat Files\wx*\FileStorage\File\
#磁盘盘符数
powershell -Command "[Environment]::GetLogicalDrives()"

0x01 注册表

1.常见注册表项

#启动项
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
#账户
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v LimitBlankPasswordUse
#网口配置文件
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
#隐藏文件置0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
#网络连接历史
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

2.查看

cmd:

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v LimitBlankPasswordUse

powershell:

$key=Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
$key``.CommonFilesDir

3.添加

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Keyname" /t REG_SZ /d "C:\Users\Administrator\Desktop\shell.exe" /f 

4.导出

reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa AppBkUp.reg