If I call runas
without the /savecred
parameter using exec()
in PHP (from a browser), the program writeTxt.exe
doesn't produce any result. It seems that there's no mechanism for the browser to ask the user's password for runas
.
In the PHP interactive mode, once the user's password has been supplied for runas
, the usage of /savecred
will cause the program to be executed directly without asking for password. Obviously, the PHP interactive mode is a different session from the browser's PHP. Since the browser doesn't have a mechanism to ask for user's password for runas
, /savecred
is apparently useless for the browser session.
Regarding my comment about the IUSR
permission for system32
folder, I've tested it using this code:
<?php
exec("whoami"); // whoami.exe is in the system32 folder
?>
The browser will display IUSR
. So IUSR
has a read & execute access to the system32
folder.