Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 3 pages and one asset modified

Browse source
This commit is contained in:
CPol 2021-06-08 20:38:29 +00:00 committed by gitbook-bot
parent ad1992544c
commit c2b98f8fb4
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 66 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
.gitbook/assets/image (535).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 73 KiB

6
pentesting-web/ldap-injection.md
View file

@ -2,9 +2,11 @@
## **LDAP**
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
**If you want to know what is LDAP access the following page:**
**Ports 389 y 636**
{% page-ref page="../pentesting/pentesting-ldap.md" %}
**LDAP Injection** is an attack used to **exploit** **web** based applications that construct **LDAP** **statements** based on **user** **input**. When an application **fails** to properly **sanitize** user input, it's possible to modify LDAP statements using a local proxy.
{% file src="../.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf" %}

42
pentesting/pentesting-ldap.md
View file

@ -4,9 +4,9 @@
Extracted from: [https://searchmobilecomputing.techtarget.com/definition/LDAP](https://searchmobilecomputing.techtarget.com/definition/LDAP)
LDAP \(Lightweight Directory Access Protocol\) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" \(smaller amount of code\) version of Directory Access Protocol \(DAP\).
LDAP \(Lightweight Directory Access Protocol\) is a software protocol for enabling anyone to **locate** organizations, individuals, and other **resources** such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" \(smaller amount of code\) version of Directory Access Protocol \(DAP\).
An LDAP directory can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent \(DSA\). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, but ensuring a single coordinated response for the user.
An LDAP directory can be **distributed** among many servers. Each server can have a **replicated** version of the total directory that is **synchronized** periodically. An LDAP server is called a Directory System Agent \(DSA\). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, but ensuring a single coordinated response for the user.
An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:
@ -24,6 +24,44 @@ PORT STATE SERVICE REASON
636/tcp open tcpwrapped
```
### LDAP Data Interchange Format
LDIF \(LDAP Data Interchange Format\) defines the directory content as a set of records. It can also represent update requests \(Add, Modify, Delete, Rename\).
```bash
dn: dc=local
dc: local
objectClass: dcObject
dn: dc=moneycorp,dc=local
dc: moneycorp
objectClass: dcObject
objectClass: organization
dn ou=it,dc=moneycorp,dc=local
objectClass: organizationalUnit
ou: dev
dn: ou=marketing,dc=moneycorp,dc=local
objectClass: organizationalUnit
Ou: sales
dn: cn= ,ou= ,dc=moneycorp,dc=local
objectClass: personalData
cn:
sn:
gn:
uid:
ou:
mail: pepe@hacktricks.xyz
phone: 23627387495
```
* Lines 1-3 define the top level domain local
* Lines 5-8 define the first level domain moneycorp \(moneycorp.local\)
* Lines 10-16 define 2 organizational units: dev and sales
* Lines 18-26 create an object of the domain and assign attributes with values
## Basic Enumeration
### Manual

25
pentesting/pentesting-web/web-api-pentesting.md
View file

@ -5,16 +5,35 @@
Main:
* **Web Services \(SOAP/XML\)**
* The documentation uses WSDL format and is usually saved in the `?wsdl` path like `https://api.example.com/api/?wsdl`
* The documentation uses **WSDL** format and is usually saved in the `?wsdl` path like `https://api.example.com/api/?wsdl`
* An example of this documentation can be found in [http://www.dneonline.com/calculator.asmx](http://www.dneonline.com/calculator.asmx) \(WSDL document in [http://www.dneonline.com/calculator.asmx?wsdl](http://www.dneonline.com/calculator.asmx?wsdl)\) and you can see an example request calling the `Add` method in [http://www.dneonline.com/calculator.asmx?op=Add](http://www.dneonline.com/calculator.asmx?op=Add)
* For parsing these files and create example requests you and use the tool **SOAPUI** or the **WSDLer** Burp Suite Extension.
* **REST APIs \(JSON\)**
* The standard documentation is the WADL file. Find an example here: [https://www.w3.org/Submission/wadl/](https://www.w3.org/Submission/wadl/). However, there are other more developer friendly API representation engines like [https://swagger.io/tools/swagger-ui/](https://swagger.io/tools/swagger-ui/) \(check the demo in the page\)
* For parsing these files and create example requests you an use the tool **Postman**
* \*\*\*\*[**GraphQL**](graphql.md)\*\*\*\*
## Tricks
### Public and private endpoints
### SOAP/XML
Create a list with the public and private endpoints to know which information should be confidential and try to access it in "unathorized" ways.
These kind of APIs may be [**vulnerable to XXE**](../../pentesting-web/xxe-xee-xml-external-entity.md), but usually **DTD Declarations** are **disallowed** in the input from the user.
You could also try to use CDATA tags to insert payloads \(as long as the XML is valid\)
![](../../.gitbook/assets/image%20%28535%29.png)
### Check Access
Usually some API endpoints are gong to need more privileges that others. Always try to access the more privileged endpoints from less privileged \(unauthorized\) accounts to see if it's possible.
### CORS
Always check the [**CORS**](../../pentesting-web/cors-bypass.md) configuration of the API, as if its allowing to end request with the credentials from the attacker domain, a lot of damage can be done via [**CSRF**](../../pentesting-web/csrf-cross-site-request-forgery.md) from authenticated victims.
### Patterns