忽略字符以运行xp_cmdshell
[英]excaping characters to run xp_cmdshell
问题描述
I know that I need to escape the @cmd var to run: 
我知道我需要转义@cmd var才能运行:
declare @cmd 'xp_cmdshell ''echo Mary|Warrior > c:\test.txt'''
exec (@cmd)
because the character '|' 因为字符“ |” would fail when running the command. 运行命令时将失败。
So, previous running I set: 因此,我之前设置的运行:
set @cmd = replace(@cmd, '|', '^|')
As @cmd var could be any string (sent by users)... What other characters do I need to worry about ? 由于@cmd var可以是任何字符串(由用户发送)...我还需要担心什么其他字符?
(I know a couple of them such as >, <) (我知道其中的几个,例如>,<)
2 个解决方案
解决方案1
0 2016-09-23 18:53:54
You can try using this query, As sean mentioned it is potential sql injection 您可以尝试使用此查询,正如肖恩(Sean)所说的,这是潜在的SQL注入
declare @cmd nvarchar(500) = N'echo ''Mary|Warrior'' > c:\test.txt'
exec master.sys.xp_cmdshell @cmd
解决方案2
0 2016-09-23 19:05:17
Use ^ to escape the special character. 使用^转义特殊字符。
declare @cmd varchar(max) = N'echo Mary^|Warrior > C:\test1.txt'
exec master.sys.xp_cmdshell @cmd
OR 要么
declare @cmd1 varchar(max) = N'xp_cmdshell ''echo Mary^|Warrior > C:\test11.txt'''
exec (@cmd1)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
xp_cmdshell的问题 - Issue with xp_cmdshell
xp_cmdshell bat文件实际上并未运行 - xp_cmdshell bat file doesn't actually run
使用xp_cmdshell从存储过程运行时出现问题 - Issues while using xp_cmdshell to run from stored procedure
SQL Server sqlcmd,使用xp_cmdshell运行while循环 - SQL Server sqlcmd with a while loop being run with xp_cmdshell
如何从xp_cmdshell运行的命令引发异常? - How to raise exception from command run by xp_cmdshell?
xp_cmdshell命令作为作业运行时未执行最后一条命令 - xp_cmdshell command not executing last command when run as job
SQL 服务器如何停止从 xp_cmdshell 运行的进程 - SQL server how stop process run from xp_cmdshell
SQL Server xp_cmdshell - SQL Server xp_cmdshell
xp_cmdshell的SSIS错误 - SSIS error with xp_cmdshell
使用xp_cmdshell的任务列表 - Tasklist using xp_cmdshell
相关标签