As for the alias, it gives the motherboard, services, systems, and processes and other computer-related things, which can also be seen under the /? command line.
The syntax of the wql statement is almost exactly the same as the SQL statements we usually use during injection, and is even simpler. Generally, it is where name="xxx" and etc., but sometimes the format of name="xxx" should be replaced with "name='xxx'" or where(name='xxx'). Anyway, if it doesn't work under normal circumstances, change the writing method.
As for verbs, there are only a few simple assoc, call, CREATE, DELETE, GET, LIST, and SET. From the English name, you should be able to see what they are used for. But to be honest, I have never used assoc yet.
As for the adverb (parameters of verbs), it is to get the attributes of the object using the verb + its parameters. For example, an adverb belonging to a list verb is to display something, such as displaying a detailed state or a brief state.
A verb switch is like displaying a horizontal table format, displaying a vertical table format, or outputting a file of what format, or displaying information repeatedly for a few seconds, etc. Some verbs do not have switches.
2. Complete our wmic command line step by step
There is an alias in wmic that is logicaldisk, which is to manage disks. Let's write in the simplest format first, enter ●wmic logicaldisk list● (+ alias + list verb) in the cmd command line, and wait for a while and various data on the local hard disk will appear on the screen, which looks messy. This is too inconvenient to read. Let's rewrite it and change it to ●wmic logicaldisk list brief ●. Add a brief parameter after the list verb, that is, the brief adverb, and the display will be neat, and the effect is as follows:
★
DeviceID brief FreeSpace ProviderName Size VolumeName
A: 2
C: 3 2925694976 6805409792 WINXP
D: 3 1117487104 1759936512 WORK
E: 5
★
You may have noticed that there are verb list and adverb brief in the above command line. The list verb determines the format and range of information displayed. It has multiple parameters (adverbs) such as Brief, Full, Instance, Status, System, Writeable, etc. Full is just one parameter of it, and it is also the default parameter of list, indicating that all information is displayed. As the name suggests, for example, Brief means only displaying summary information, Instance means only displaying object instances, Status means displaying object status, Writeable means only displaying writeable attribute information of the object, etc.
Let's add something to the statement. When the DeviceID value in the disk return information above is 3, it means it is the partition of the local hard disk. If it is 5 for the optical area, it is 2 for the mobile disk. Let's change the statement, add the wql statement, and only display the local disk. Change the statement to ●wmic logicaldisk where "DriveType=3" list brief●or ●wmic logicaldisk where(DriveType=3) list brief●, the display effect is as follows:
★
DeviceID DriveType FreeSpace ProviderName Size VolumeName
C: 3 2925686784 6805409792 WINXP
D: 3 1117487104 1759936512 WORK
★
But we are still not satisfied with the format above. I don’t know what ProviderName is, and we only want what we want. We don’t want it, like the volume label VolumeName, and so on. Change the statement, change the get verb, and change the command to ●wmic logicaldisk where "DriveType=3" get DeviceID,Size,FreeSpace,Description,FileSystem●, the return information is as follows:
★
DeviceID,Size,FreeSpace,Description,FileSystem
Description DeviceID FileSystem FreeSpace Size
Local fixed disk C: FAT32 2925686784 6805409792
Local fixed disk D:
★
As for the parameters followed by the get verb, you can use list to check it out. OK, this time we can get the results we want. However, we have not used the switches in the command yet, add a few global switches. First add /OUTPUT, let it output the displayed information to a file. The command is as follows: ●wmic /output: logicaldisk where "DriveType=3" get DeviceID,Size,FreeSpace,Description,FileSystem●. In this way, the information returned on the screen just now will be in the current directory. But after opening it, it is like a notepad, without any style and does not look beautiful. If we specify a style for it, we need to use the format verb switch. The command is changed to ●wmic /output: logicaldisk where "DriveType=3" get DeviceID,Size,FreeSpace,Description,FileSystem /format:htable●, so that the information on our local disk will be displayed in colorful forms. Maybe you want to ask what htable is. In fact, this is a file. What format you want above, you can find a file name in the format you want in C:\WINDOWS\system32\wbem. There are some specific files:
★
CSV
HFORM
HMOF
HTABLE
HXML
LIST
TABLE
VALUE
htable-sortby
texttablewsys
wmiclimofformat
wmiclitableformat
wmiclitableformatnosys
wmiclivalueformat
★
Someone may ask, I just want to display the c: disk, can I do it without other disks? Of course, this requires the name variable of the wql statement. You can first use ●wmic logicaldisk list Instance● to see the specific name of the name, and then change the wql statement above. Okay, let's change it to ●wmic /output: logicaldisk where "name='c:'" get DeviceID,Size,FreeSpace,Description,FileSystem /format:htable or wmic /output: logicaldisk where(name='c:') get DeviceID,Size,FreeSpace,Description,FileSystem /format:htable● It is worth noting that we did not use single quotes in DriveType=3 because 3 is numerical, while c: is character-type, so we need to use single quotes or double quotes. However, it should be noted that if and is used in the wql statement, please use () or "" to invoke the statement.
In this way, our last sentence basically conforms to the command format of wmic mentioned at the beginning of my article: "wmic+switch+alias+wql name+verb+adverb (or verb parameters)+verb switch". However, wmic can not only operate the local machine, but also operate the remote machine. Let’s add three global switches to let our command operate the remote format. The command is:
●WMIC /node:"192.168.8.100" /user:"administrator" /password:"lcx" /output: logicaldisk where "name='c:'" get DeviceID,Size,FreeSpace,Description,FileSystem /format:htable●
The node switch indicates which machine to access, and the user and password are of course the user name and password of the remote machine. With the above explanation of this command, everyone should understand it at a glance. So far, our verbs have only used get and list, and we add another set to change the c: disk label. The command is as follows: ●WMIC logicaldisk where "name='c:'" set VolumeName ="lcx"●, so that everyone can further understand the usage of this format. After writing so many words, maybe you have to ask me what is the most useful switch for wmic, of course it is "?". If that command cannot be used, you can use wmic /?, WMIC logicaldisk /?, WMIC logicaldisk list /?, WMIC logicaldisk set /?, so that the usage is checked.
3. Summary
wmic is very powerful, like 3389 in 2003, you can do it in one sentence: ●wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1●. But
This article probably makes the audience feel deceived. A wmic disk command has been written for such a long time, but I haven't seen the specific strange and obscene skills. However, I think with the basis of this article, if you study other aliases such as processes, services, bios, and motherboards, you will have an entry point. For specific good techniques such as opening 3389, you will rely on everyone to study and discover.