Windows
0x00 文件目录操作
1.查找文件
cmd:
for /r 目录名 %变量名 in (匹配模式1,匹配模式2) do 命令
for /r d: %i in (*) do @echo %i
for /r d: %i in (*.txt,*.jpg) do @echo %i
for /r d: %i in (*shell.jsp) do @echo %i
2.查看文件内容
cmd:
type "D:\www\shell.jsp"
powershell:
Get-Content "D:\www\shell.jsp"
3.删除文件
cmd:
#删文件
del index.js
#删文件夹
rd app
powershell:
remove-item w.ps1 -Force -Recurse
4.查看目录
cmd:
#下载目录
dir C:\Users\%username%\Downloads
#桌面
dir C:\Users\%username%\Desktop
#微信
dir C:\Users\%username%\Documents\WeChat Files\wx*\FileStorage\File\
#磁盘盘符数
powershell -Command "[Environment]::GetLogicalDrives()"
0x01 注册表
1.常见注册表项
#启动项
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
#账户
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v LimitBlankPasswordUse
#网口配置文件
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
#隐藏文件置0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
#网络连接历史
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
2.查看
cmd:
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v LimitBlankPasswordUse
powershell:
$key=Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
$key``.CommonFilesDir
3.添加
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Keyname" /t REG_SZ /d "C:\Users\Administrator\Desktop\shell.exe" /f
4.导出
reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa AppBkUp.reg