Sa permission. Execute cmd using xp_cmdshell, but return the command line to indicate that the command has been disabled.
Then I tried other storage products, such as OA, job, sandbox, and so on. I still couldn't execute the command, so I was helpless.
I tried sp_makewebtask storage, but I can export a webshell.
Go in and see what's going on.
When running SQL commands, I suddenly remembered that the command for executing the four stored procedures of Pangolin called CMD.
Cmd is disabled. Of course you have no more fun.
Pass a cmd command and try again. The command cannot be executed.
I tried to raise the privilege by using another big killer, and I didn't have to play it when I disabled it in cmd.
After turning it over in system32, we found that command.com can also execute commands, which is basically similar to cmd, but it is not clear that this is not a command prompt.
I tried it on the local machine, disabled cmd, and found that command.com is running normally. Haha
Use command.com to call the sandbox.
Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c: \ windows \ system32 \ ias. mdb ', 'select shell ("command.com/c net1 user roge $/add ")')
Net user.