||SQL Server Tips by Gama and Naughter
with MSDOS commands
Script injection is not restricted
to SQL, JScript or VBScript, MSDOS commands can be injected in a
string that is passed to a shell and execute with the current
The system XP xp_cmdshell is very
dangerous and most users should have no privileges to use it at all.
Even indirect use can be dangerous as the next example will prove.
CREATE PROCEDURE txtFileLog @data
--Log with the ECHO command
DECLARE @contents varchar(2033)
SET @contents='ECHO '+@data+'>>\log.txt'
This will work fine when there are
no spaces, tabs, >, <, | or & symbols.
EXEC txtFileLog 'line1'
Will add one line with the string
line1. One way of storing spaces and all the other characters is to
place double quotes around the input string. The line stored in the
file will also have the double quotes though. This is not the best
way to save text to a file but it is used widely.
The number 2033 is 2048-15, 15 is
the number of characters of 'ECHO ' and '>>\log.txt'
2048 is the maximum length of a
line in Windows Command prompt (or 8192 on Windows XP or later),
otherwise the error "The input line is too long." is generated.
To execute any DOS command is a
matter of placing it between two ampersands and a REM keyword at the
end, to ignore the rest of the string:
EXEC txtFileLog 'abc&dir>\test.txt&rem
The ampersands separate commands
in MSDOS so that more than one command can run in one line of text.
This example will create a file name test.txt in the root but more
malevolent code could be there. For example, adding a new user:
net user hacker hpassword /add
The above book excerpt is from:
Turbocharge Database Performance with C++ External Procedures
Joseph Gama, P. J. Naughter