这是批处理文件注射? [英] Is this batch file injection?
问题描述
C:\>batinjection OFF ^& DEL c.c
batinjection.bat具有 ECHO%*的内容
我听说过SQL注入的,虽然我从来没有做过真正的,但是这是注射?有不同类型的注射,这是其中之一吗?
I've heard of SQL injection, though i've never actually done it, but is this injection? Are there different types of injection and this is one of them?
还是有此另一个技术术语?或者更具体的词?
Or is there another technical term for this? or a more specific term?
注意 - 事先编辑了 C:\\> batinjection OFF&安培; DEL C.C (即无^%)和 ECHO%1 (即无*%),这是不完全正确。我已经改正了。它不会影响的答案。
Note- a prior edit had C:\>batinjection OFF & DEL c.c(i.e. without ^%) and ECHO %1(i.e. without %*) which wasn't quite right. I have corrected it. It doesn't affect the answers.
推荐答案
是的,这是一个类型的注入,而且它是用批处理文件的一个大问题,这主要是它不是一个故意阿塔克,大部分时间你简单的得到一些字符或单词如麻烦关闭。
Yes, it's a type of injection, and it's one of the big problems with batch files, that mostly it isn't a purposefully attac, most of the time you simple get trouble with some characters or word like OFF.
因此,你应该使用的工艺来避免这种问题/ vulnerabilitys。
Therefore you should use technics to avoid this problems/vulnerabilitys.
在你的情况,你可以在你的批处理文件,更改为
In your case you could change your batch file to
set "param1=%*"
setlocal EnableDelayedExpansion
echo(!param1!
我用回声(在这里,而不是回声。或别的东西,因为它是唯一已知的安全的回声所有追加的内容。
I use echo( here instead of echo. or something else, as it is the only known secure echo for all appended contents.
我使用延迟扩展!而不是扩大%,因为推迟扩张总是针对任何特殊字符的安全。
I use the delayed expansion ! instead of percent expansion, as delayed expansion is always safe against any special characters.
要使用延迟扩展需要将参数传输到一个变量,一个好办法就是周围使用set命令报价,它避免特殊字符,许多问题(但不是全部)。
To use the delayed expansion you need to transfer the parameter into a variable and a good way is to use quotes around the set command, it avoid many problems with special characters (but not all).
但要建立访问批处理参数是绝对的安全的方式,手法也相当困难。结果
尽量让这个安全是棘手的结果 myBatch.bat ^&安培;&放大器;
But to build an absolutly secure way to access batch parameters, the way is quite harder.
Try to make this safe is tricky
myBatch.bat ^&"&"
您可以阅读<一href=\"http://stackoverflow.com/questions/4200316/how-to-receive-even-the-strangest-command-line-parameters\">SO:如何接收,即使最奇怪的命令行参数?
主要的想法是使用 REM 语句的输出,而 ECHO ON 。结果
这是在路上的安全,你不能注入code(或更好:只有真正先进的知识),但原来的内容是可以改变的,如果你的内容是一样的东西。
The main idea is to use the output of a REM statement while ECHO ON.
This is safe in the way, that you can't inject code (or better: only with really advanced knowledge), but the original content can be changed, if your content is something like.
myBatch.bat为myContent ^&安培;&放大器;%A
将改为为myContent&安培;&放大器;4
这篇关于这是批处理文件注射?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
