使用 Powershell -encodedcommand 传递参数

Posted 2023-03-07

【中文标题】使用 Powershell -encodedcommand 传递参数

【英文标题】：Using Powershell -encodedcommand to pass parameters

【发布时间】：2011-09-11 20:43:09

【问题描述】：

我正在尝试找到一种将参数传递给 powershell 脚本的优雅方法，其中字符串可以包含任意数量的需要转义的特殊字符。例如，带有特殊字符的复杂密码。

我正在查看 -encodedcommand 选项，但似乎这只是为了传递编码的脚本块，而不是参数的编码版本。

例如，考虑以下脚本：

param(
[Parameter()][Alias("un")][string]$Username,
[Parameter()][Alias("pw")][string]$Password
)

Write-Host "Username: $Username"
Write-Host "Password: $Password"

字符串'-un testuser -pw testpw'是base64编码如下： LQB1AG4AIAB0AGUAcwB0AHUAcwBlAHIAIAAtAHAAdwAgAHQAZQBzAHQAcAB3AA==

我尝试将脚本作为 .ps1 文件调用并使用上述字符串传递 -encodedcommand，但得到错误“找不到与参数名称“编码命令”匹配的参数

所以，很好，这必须是直接调用 powershell.exe。

还尝试了以下方法： powershell.exe -encodedcommand LQB1AG4AIAB0AGUAcwB0AHUAcwBlAHIAIAAtAHAAdwAgAHQAZQBzAHQAcAB3AA== -file Base64ParamTest.ps1

这运行了脚本，但参数没有值。

这符合我的预期，但不是我希望的那样。有没有办法将我的参数本身作为安全编码的字符串实际传递？

【问题讨论】：

我的 B 计划是仅对密码值本身进行 Base64 编码，而不是对整个参数字符串进行编码，然后在脚本中对其进行解码。很简单，但想知道我是否错过了一种更简单的自动完成方法

【参考方案1】：

您必须将脚本调用作为命令的一部分，例如：

PS> $command = "& '$pwd\login.ps1' -un testuser -pw testpw"
PS> $bytes = [Text.Encoding]::Unicode.GetBytes($command)
PS> $encodedCommand = [Convert]::ToBase64String($bytes)
PS> powershell.exe -noprofile -encodedCommand $encodedCommand
Username: testuser
Password: testpw

以下是我过去就如何处理脚本中的密码所做的一些笔记：

###########################################################
#
# Stashing passwords to avoid interactive password prompting
#

# NOT RECOMMENDED BUT IF PASSWORD IS DYNAMIC OR WIDELY KNOWN

$passwd = ConvertTo-SecureString "Not Very Secret Password" -AsPlainText -Force

# Need a way to prompt for password and use clear text password for use with net use
$cred = Get-Credential
$cred.GetNetworkCredential().UserName 
$cred.GetNetworkCredential().Password

#
# SAFE BUT NOT NECESSARILY PORTABLE APPROACH 
# Depends on how DPAPI works with roaming profiles
#

# Capture once and store to file
$passwd = Read-Host "Enter password" -AsSecureString
$encpwd = ConvertFrom-SecureString $passwd
$encpwd
$encpwd > $path\password.bin

# Later pull this in and restore to a secure string
$encpwd = Get-Content $path\password.bin
$passwd = ConvertTo-SecureString $encpwd

# Let's see if the rehydrate worked?
$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd)
$str =  [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($bstr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr)
$str

$cred = new-object System.Management.Automation.PSCredential 'john',$passwd
$cred

# NOTE: The "secret" required to rehyrdate correctly is stored in DPAPI - consequence:
#       You can only rehydrate on the same machine that did the ConvertFrom-SecureString


#
# PORTABLE BUT NOT NECESSARILY SAFE APPROACH
#

# Let's do this so that it will work on multiple machines:

$key = 1..32 | ForEach-Object  Get-Random -Maximum 256 
$passwd = Read-Host "Enter password" -AsSecureString
$encpwd = ConvertFrom-SecureString $passwd -Key $key
$encpwd
# Could easily modify this to store username also
$record = new-object psobject -Property @Key = $key; EncryptedPassword = $encpwd
$record
$record | Export-Clixml $path\portablePassword.bin

# Later pull this in and restore to a secure string
$record = Import-Clixml $path\portablePassword.bin
$passwd = ConvertTo-SecureString $record.EncryptedPassword -Key $record.Key

# Let's see if the rehydrate worked?
$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd)
$str =  [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($bstr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr)
$str

$cred = new-object System.Management.Automation.PSCredential 'john',$passwd
$cred

Start-Process powershell.exe -Credential $cred -NoNewWindow

# Portable is better BUT the secret (Key) is shared (stored with the password file)
# Can be reversed to original password - still much better than clear-text password
# stored in your script.

【讨论】：

啊，包括编码字符串中的脚本。简单的解决方案，但我在任何地方都没有看到任何例子。非常感谢！