Shulou(Shulou.com)05/31 Report--

How to conduct bee-box LDAP injection range exercises, I believe that many inexperienced people are helpless about this, this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

If the essence of sql injection is concatenation of strings, then the essence of everything that can be injected is concatenation of strings. LDAP injection as an injection is no exception. It is more interesting to say that it is concatenating parentheses (sql injection also concatenates parentheses, but it is more customary to say that it concatenates strings).

In the environment configuration chapter has been very detailed inside the bee-box ldap environment configuration, shooting range practice chapter is more php and ldap connection process, the use of special functions in the middle of the introduction and some of the skills of parentheses splicing.

Let's talk about the registration process of ldap shooting range in bwapp first:

First of all, this is an LDAP login interface. The URL is http://192.168.3.184/bWAPP/ldap_connect.php. Look directly at what is written in this php file.

php connection LDAP function detailed explanation

Starting with code 133 in ldap_connect.php, the five variables are $message,$login,$password,$server,$dn.

The first of these five variables is nothing, the second is the username to log into the ldap server, the third is the password, the fourth is the server address, and the fifth is a distinguished name (describing a complete LDAP path).

The first if statement is to clear the LDAP login form, the second if statement is to determine whether these five variables are null values, this is a trivial matter, the focus is on the following else, from this else inside, there are multiple if and else statements, one by one.

Let's first look at the three functions ldap_connect, ldap_set_option, ldap_bind before the first if, and explain the role of these three functions in turn.

ldap_connect: Used to connect to ldap database in the following format

$server = "localhost"

$LDAPCONN=LDAP_Connect($server)

If the return value of $LDAPCONN is numeric, the connection fails when the return value is 0, and succeeds when the return value is other.

ldap_set_option($link_identifier ,$option , &$retval): Takes three parameters

$link_identifier

LDAP connection identifier returned by ldap_connect() function (to determine if LDAP connection is successful)

$option can receive values as follows:

LDAP_OPT_DEREF(int): How to handle aliases when searching. Values range as follows: LDAP_DEREF_NEVER(0, default),LDAP_DEREF_SEARCHING(1), LDAP_DEREF_FINDING(2), LDAP_DEREF_ALWAYS(3)

LDAP_OPT_NETWORK_TIMEOUT(int): Number of seconds the network times out, LDAP_NO_LIMIT(0, default) means never times out.

LDAP_OPT_PROTOCOL_VERSION(int): Specifies the version of the LDAP protocol to be used. The values are as follows: LDAP_VERSION2(2, default), LDAP_VERSION3 (3).

LDAP_OPT_REFERRALS(bool): Whether the LDAP repository automatically follows references returned by the LDAP server in the following range: TRUE(1, default), FALSE(0).

&$retval Variable that accepts option values

For example, the code in bwapp:

ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION, 3);

This code means that if ldap connection succeeds, then specify that LDAP uses version 3 protocol. (There is no need to delve into this, it is all in the format)

ldap_bind($link_identifier,$bind_rdn,$bind_password)

$link_identifier: LDAP connection identifier returned by ldap_connect() function (to determine whether LDAP connection is successful)

$bind_rdn: Use the specified rdn, i.e. login path, such as cn=admin,dc=bwapp,dc=local

$bind_password: Specifies the password for login.

ldap_search($link_identifier, $dn,$filter): LDAP directory search function that successfully returns a resource descriptor for a result set, usually referenced by other functions as $result_identifier, and returns FALSE on failure.

$link_identifier: LDAP connection identifier returned by ldap_connect() function (to determine whether the connection is successful)

$dn: DN of directory to be searched

$filter: Search filter. For example,"(objectClass=*)" means to search all entries (or all attributes for the read function).

ldap_search($ds, $dn,$filter), where $ds=ldap_connect(),

$dn="DC=bwapp,DC=local",$filter=(cn=*)(i.e. cn of all ranges), these three parameters indicate that ldap_search function is querying all directories of the current server (relative to bwapp).

ldap_count_entries($link_identifier,$search): Returns the number of results for the query

$link_identifier: LDAP connection identifier returned by dap_connect() function (to determine whether the connection is successful)

$search: = ldap_search($link_identifier, $dn, $filter) Returns the result set of the query.

At this point the function has been analyzed almost, let's run through the general idea of this connection file.

From line 149 to line 163, the code determines whether the various values obtained are null, and if they are null, throws a prompt message.

Lines 165 to 198 determine whether the login is successful, lines 165 to 184 determine whether the ldap service exists, and lines 187 to 198 determine whether the distinguished name (equivalent to the database name) exists.

Line 200 to line 236 is to determine whether there is a corresponding dn, that is, whether there is a corresponding ldap path, if not, throw a corresponding prompt message, if there is a call ldapi.php, that is, ldap query. After the query results are obtained in ldapi, the output is a table.

LDAP query results php file introduction

The place to output the tables is in the ldapi.php file, so look at the code in ldapi.php.

Directly from line 231 to line 240 are all mentioned above, bind LDAP directory, code is as follows, do not understand you can see the LDAP binding section above

If the LDAP directory is successfully bound, the query begins at line 242.

From receiving the value of POST parameter user to creating aliases ($search_field_1,$search_field_2,$search_field_3), specifying filters ($filter)(filters are query statements similar to sql statements), the syntax rules are as follows:

Operator Character Purpose Equal = Creates a filter that requires a field to have a given value. Any * represents a field that can equal any value except NULL. Parentheses ( ) separate filters to allow other logical operators to work. Combined with & filters. All conditions of the corresponding series must be true. or| Combined filter. At least one condition in the corresponding series must be true. No! Excludes all objects that match the filter criteria.

Returns all objects that might cause loading problems:

objectClass=*

Returns all user objects specified as "person":

(&(objectClass=user)(objectCategory=person))

Return to mailing list only:

(objectCategory=group)

Return only public folders:

(objectCategory=publicfolder)

Returns all user objects except those whose primary e-mail address begins with "test":

(&(&(objectClass=user)(objectCategory=person))(! (mail=test*)))

Returns all user objects except those whose primary email address ends with "test":

(&(&(objectClass=user)(objectCategory=person))(! (mail=*test)))

Returns all user objects except those with the word "test" in their primary email address:

(&(&(objectClass=user)(objectCategory=person))(! (mail=*test*)))

Returns all user objects and alias objects specified as "person" and belonging to a group or assignment list:

(|(&(objectClass=user)(objectCategory=person))(objectCategory=group))

Returns all user objects specified as "person," all group objects, and all contacts, excluding objects with any value defined as "extensionAttribute9":

(&(|(|(&(objectClass=user)(objectCategory=person))(objectCategory=group))(objectClass=contact))(! (extensionAttribute9=*)))

Returns all DN (CN=GRoup,OU=Users,DC=Domain,DC) users identified as group members:

(&(objectClass=user)(objectCategory=person)(memberof=CN=Group,CN=Users,DC=Domain,DC=com))

Return to all users:

Microsoft®Active Directory® LDAP Server: (&(objectCategory=person)(objectClass=user))

OpenLDAP™ Server: (objectClass=inetOrgPerson)

IBM® Notes®Domino LDAP Server: (objectClass=dominoPerson)

Search IBM Notes Domino LDAP for all objects whose mail address is defined as "person" or "group":

(&(|(objectClass=dominoPerson)(objectClass=dominoGroup)(objectClass=dominoServerMailInDatabase))(mail=*))

Active Directory: Returns all active (not deactivated) users with email addresses:

(&(objectCategory=person)(objectClass=user)(mail=*)(! (userAccountControl:1.2.840.113556.1.4.803:=2)))

Returns all users identified by the group DN as members of Group_1 or Group_2.

(&(objectClass=user)(objectCategory=person)(|(memberof=CN=Group_1,cn=Users,DC=Domain,DC=com)(memberof=CN=Group_2,cn=Users,DC=Domain,DC=com)))

Returns all users whose extensionAttribute1 value is Engineering or Sales

(&(objectCategory=user)(|(extensionAttribute1=Engineering)(extensionAttribute1=Sales)))

The syntax rules are introduced, and then the code starting from 267 is analyzed.

$ldap_fields_to_find defines an array that is convenient for printing out tables and receiving ldap query results. Take $ldap_fields_to_find as the fourth parameter of the ldap_search function, indicating that the received results are saved with this alias, i.e., in the form of key-value pairs, and then return the results to the array of $info. Finally, each key corresponds to each variable from line 287 to line 291. Finally, loop output, print the table, and so on, the query is complete.

A brief introduction to LDAP injection concatenation syntax

Since LDAP filters are similar to SQL query statements, look directly at how filters are written in bwapp. Look directly at the $filter variable in ldapi.php file:

$filter="(|($search_field_1=$search_for)($search_field_2=$search_for)($search_field_3=$search_for))";

The essence of sql statements is to concatenate single quotes, and the essence of ldap statements is to concatenate parentheses.

Now I want to query all users, just type * in user, then $filter will become $filter="(|($search_field_1=*)($search_field_2=*)($search_field_3=*))";

Look at the results in bwapp

A lot of users returned but not enough because I want to see my admin, so I'm going to construct this LDAP filter.

$filter="(|($search_field_1=*)(objectclass=*)($search_field_2=*)($search_field_3=*))";

This way I can query all users, including administrators, objectclass=* means search as long as it exists, i.e. global.

Then enter *) for user (objectclass=*)

Look at the results. Administrator appears. Injection successful.

After reading the above, do you know how to do range practice with bee-box LDAP injection? If you still want to learn more skills or want to know more related content, welcome to pay attention to the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.