Call now: (800) 766-1884  


 SQL Server Tips
 SQL Server Training

 SQL Server Consulting
 SQL Server Support
 SQL Server Remote DBA

 SQL Server Scripts
 Scripts Menu




  SQL Server Tips by Gama and Naughter

Script injection with MSDOS commands

Script injection is not restricted to SQL, JScript or VBScript, MSDOS commands can be injected in a string that is passed to a shell and execute with the current privileges.
The system XP xp_cmdshell is very dangerous and most users should have no privileges to use it at all. Even indirect use can be dangerous as the next example will prove.

CREATE PROCEDURE txtFileLog @data varchar(50)
--Log with the ECHO command
DECLARE @contents varchar(2033)
SET @contents='ECHO '+@data+'>>\log.txt'
EXEC master..xp_cmdshell @contents, no_output

This will work fine when there are no spaces, tabs, >, <, | or & symbols.
For example:

EXEC txtFileLog 'line1'

Will add one line with the string line1. One way of storing spaces and all the other characters is to place double quotes around the input string. The line stored in the file will also have the double quotes though. This is not the best way to save text to a file but it is used widely.

The number 2033 is 2048-15, 15 is the number of characters of 'ECHO ' and '>>\log.txt'

2048 is the maximum length of a line in Windows Command prompt (or 8192 on Windows XP or later), otherwise the error "The input line is too long." is generated.

To execute any DOS command is a matter of placing it between two ampersands and a REM keyword at the end, to ignore the rest of the string:

EXEC txtFileLog 'abc&dir>\test.txt&rem '

The ampersands separate commands in MSDOS so that more than one command can run in one line of text. This example will create a file name test.txt in the root but more malevolent code could be there. For example, adding a new user:

net user hacker hpassword /add

The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter  


Burleson Consulting Remote DB Administration







Burleson is the America's Team

Note: The pages on this site were created as a support and training reference for use by our staff of DBA consultants.  If you find it confusing, please exit this page.

Errata?  SQL Server technology is changing and we strive to update our SQL Server support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:and include the URL for the page.

Burleson Consulting
SQL Server database support


Copyright 1996 -  2013 by Vaaltech Web Services. All rights reserved.

Hit Counter