[英]excaping characters to run xp_cmdshell
I know that I need to escape the @cmd var to run: 我知道我需要转义@cmd var才能运行:
declare @cmd 'xp_cmdshell ''echo Mary|Warrior > c:\test.txt'''
exec (@cmd)
because the character '|' 因为字符“ |” would fail when running the command.
运行命令时将失败。
So, previous running I set: 因此,我之前设置的运行:
set @cmd = replace(@cmd, '|', '^|')
As @cmd var could be any string (sent by users)... What other characters do I need to worry about ? 由于@cmd var可以是任何字符串(由用户发送)...我还需要担心什么其他字符?
(I know a couple of them such as >, <) (我知道其中的几个,例如>,<)
You can try using this query, As sean mentioned it is potential sql injection 您可以尝试使用此查询,正如肖恩(Sean)所说的,这是潜在的SQL注入
declare @cmd nvarchar(500) = N'echo ''Mary|Warrior'' > c:\test.txt'
exec master.sys.xp_cmdshell @cmd
Use ^
to escape the special character. 使用
^
转义特殊字符。
declare @cmd varchar(max) = N'echo Mary^|Warrior > C:\test1.txt'
exec master.sys.xp_cmdshell @cmd
OR 要么
declare @cmd1 varchar(max) = N'xp_cmdshell ''echo Mary^|Warrior > C:\test11.txt'''
exec (@cmd1)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.