使用python利用xp_cmdshell批量执行系统命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#coding=utf-8
import pymssql
import sys
from threading import *

def connect(ip,username="sa",password="123456",database="MyDB"):
    conn = pymssql.connect(ip,username,password,autocommit=True,timeout=2)
    cursor = conn.cursor()
    query = "sp_configure 'show advanced options',1;"
    cursor.execute(query)
    conn.commit()

    cursor = conn.cursor()
    query = "EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
    cursor.execute(query)
    conn.commit()
    
    cursor = conn.cursor()
    query = "sp_configure 'xp_cmdshell',1;"
    cursor.execute(query)
    conn.commit()

    #cursor = conn.cursor()
    #query = "exec master.dbo.xp_cmdshell 'msg 1 "请看你的桌面上有数据库的答案"';"
    #cursor.execute(query)
    #conn.commit()

    #cursor = conn.cursor()
    #query = b"exec master.dbo.xp_cmdshell 'xcopy /s /y  "\\192.168.19.149\share\result.doc" "C:\User\Lenovo\Desktop\result.doc" /F'"
    #print(query)
    #cursor.execute(query)
    #conn.commit()

    cursor = conn.cursor()
    query = "exec master.dbo.xp_cmdshell 'shutdown -a'"
    cursor.execute(query)
    conn.commit()
    
    row = cursor.fetchall()
    print(row)
    cursor.close()
    conn.close()

for i in range(101,200):
    ip = "192.168.19."+str(i)
    th = Thread(target=connect,args=(ip,))
    #connect(ip)
    th.start()