mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [master] 3 pages and one asset modified
This commit is contained in:
parent
ad1992544c
commit
c2b98f8fb4
4 changed files with 66 additions and 7 deletions
BIN
.gitbook/assets/image (535).png
Normal file
BIN
.gitbook/assets/image (535).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 73 KiB |
|
@ -2,9 +2,11 @@
|
|||
|
||||
## **LDAP**
|
||||
|
||||
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
|
||||
**If you want to know what is LDAP access the following page:**
|
||||
|
||||
**Ports 389 y 636**
|
||||
{% page-ref page="../pentesting/pentesting-ldap.md" %}
|
||||
|
||||
**LDAP Injection** is an attack used to **exploit** **web** based applications that construct **LDAP** **statements** based on **user** **input**. When an application **fails** to properly **sanitize** user input, it's possible to modify LDAP statements using a local proxy.
|
||||
|
||||
{% file src="../.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf" %}
|
||||
|
||||
|
|
|
@ -4,9 +4,9 @@
|
|||
|
||||
Extracted from: [https://searchmobilecomputing.techtarget.com/definition/LDAP](https://searchmobilecomputing.techtarget.com/definition/LDAP)
|
||||
|
||||
LDAP \(Lightweight Directory Access Protocol\) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" \(smaller amount of code\) version of Directory Access Protocol \(DAP\).
|
||||
LDAP \(Lightweight Directory Access Protocol\) is a software protocol for enabling anyone to **locate** organizations, individuals, and other **resources** such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" \(smaller amount of code\) version of Directory Access Protocol \(DAP\).
|
||||
|
||||
An LDAP directory can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent \(DSA\). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, but ensuring a single coordinated response for the user.
|
||||
An LDAP directory can be **distributed** among many servers. Each server can have a **replicated** version of the total directory that is **synchronized** periodically. An LDAP server is called a Directory System Agent \(DSA\). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, but ensuring a single coordinated response for the user.
|
||||
|
||||
An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:
|
||||
|
||||
|
@ -24,6 +24,44 @@ PORT STATE SERVICE REASON
|
|||
636/tcp open tcpwrapped
|
||||
```
|
||||
|
||||
### LDAP Data Interchange Format
|
||||
|
||||
LDIF \(LDAP Data Interchange Format\) defines the directory content as a set of records. It can also represent update requests \(Add, Modify, Delete, Rename\).
|
||||
|
||||
```bash
|
||||
dn: dc=local
|
||||
dc: local
|
||||
objectClass: dcObject
|
||||
|
||||
dn: dc=moneycorp,dc=local
|
||||
dc: moneycorp
|
||||
objectClass: dcObject
|
||||
objectClass: organization
|
||||
|
||||
dn ou=it,dc=moneycorp,dc=local
|
||||
objectClass: organizationalUnit
|
||||
ou: dev
|
||||
|
||||
dn: ou=marketing,dc=moneycorp,dc=local
|
||||
objectClass: organizationalUnit
|
||||
Ou: sales
|
||||
|
||||
dn: cn= ,ou= ,dc=moneycorp,dc=local
|
||||
objectClass: personalData
|
||||
cn:
|
||||
sn:
|
||||
gn:
|
||||
uid:
|
||||
ou:
|
||||
mail: pepe@hacktricks.xyz
|
||||
phone: 23627387495
|
||||
```
|
||||
|
||||
* Lines 1-3 define the top level domain local
|
||||
* Lines 5-8 define the first level domain moneycorp \(moneycorp.local\)
|
||||
* Lines 10-16 define 2 organizational units: dev and sales
|
||||
* Lines 18-26 create an object of the domain and assign attributes with values
|
||||
|
||||
## Basic Enumeration
|
||||
|
||||
### Manual
|
||||
|
|
|
@ -5,16 +5,35 @@
|
|||
Main:
|
||||
|
||||
* **Web Services \(SOAP/XML\)**
|
||||
* The documentation uses WSDL format and is usually saved in the `?wsdl` path like `https://api.example.com/api/?wsdl`
|
||||
|
||||
* The documentation uses **WSDL** format and is usually saved in the `?wsdl` path like `https://api.example.com/api/?wsdl`
|
||||
* An example of this documentation can be found in [http://www.dneonline.com/calculator.asmx](http://www.dneonline.com/calculator.asmx) \(WSDL document in [http://www.dneonline.com/calculator.asmx?wsdl](http://www.dneonline.com/calculator.asmx?wsdl)\) and you can see an example request calling the `Add` method in [http://www.dneonline.com/calculator.asmx?op=Add](http://www.dneonline.com/calculator.asmx?op=Add)
|
||||
* For parsing these files and create example requests you and use the tool **SOAPUI** or the **WSDLer** Burp Suite Extension.
|
||||
|
||||
|
||||
|
||||
* **REST APIs \(JSON\)**
|
||||
* The standard documentation is the WADL file. Find an example here: [https://www.w3.org/Submission/wadl/](https://www.w3.org/Submission/wadl/). However, there are other more developer friendly API representation engines like [https://swagger.io/tools/swagger-ui/](https://swagger.io/tools/swagger-ui/) \(check the demo in the page\)
|
||||
* For parsing these files and create example requests you an use the tool **Postman**
|
||||
* \*\*\*\*[**GraphQL**](graphql.md)\*\*\*\*
|
||||
|
||||
## Tricks
|
||||
|
||||
### Public and private endpoints
|
||||
### SOAP/XML
|
||||
|
||||
Create a list with the public and private endpoints to know which information should be confidential and try to access it in "unathorized" ways.
|
||||
These kind of APIs may be [**vulnerable to XXE**](../../pentesting-web/xxe-xee-xml-external-entity.md), but usually **DTD Declarations** are **disallowed** in the input from the user.
|
||||
|
||||
You could also try to use CDATA tags to insert payloads \(as long as the XML is valid\)
|
||||
|
||||
![](../../.gitbook/assets/image%20%28535%29.png)
|
||||
|
||||
### Check Access
|
||||
|
||||
Usually some API endpoints are gong to need more privileges that others. Always try to access the more privileged endpoints from less privileged \(unauthorized\) accounts to see if it's possible.
|
||||
|
||||
### CORS
|
||||
|
||||
Always check the [**CORS**](../../pentesting-web/cors-bypass.md) configuration of the API, as if its allowing to end request with the credentials from the attacker domain, a lot of damage can be done via [**CSRF**](../../pentesting-web/csrf-cross-site-request-forgery.md) from authenticated victims.
|
||||
|
||||
### Patterns
|
||||
|
||||
|
|
Loading…
Reference in a new issue