How to conduct range practice with bee-box LDAP injection

If the essence of sql injection is splicing strings, then the essence of everything that can be injected is splicing strings. LDAP injection is no exception as a kind of injection. What is more interesting is that it is splicing parentheses ( SQL injection also concatenates parentheses, but it is more conventional to say that it concatenates strings).

In the environment configuration chapter, the configuration of the ldap environment in bee-box has been discussed in detail. The shooting range practice chapter is more about the connection process between php and ldap, and the introduction of the special functions used in the middle. Some tips for splicing parentheses.

Let’s first talk about the login process of the ldap shooting range in bwapp:

First of all, this is an LDAP login interface, the URL is http:/ /192.168.3.184/bWAPP/ldap_connect.php, take a look at what is written in this php file.

Detailed explanation of php connection LDAP function

#Starting from the code of 133 of the ldap_connect.php file, the five variables are $message, $login, $ password, $server, $dn.

What is the first of these five variables used for? The second is the username to log in to the ldap server, the third is the password, the fourth is the server address, and the fifth is the distinguished name (describe one full LDAP path).

The first if statement is to clear the login LDAP form, and the second if statement is to determine whether the five variables are null values. These are all trivial matters. The key point is the following else. From this else At the beginning, there are multiple if and else statements. Let’s go one by one.

First look at the three functions ldap_connect, ldap_set_option, and ldap_bind before the first if, and explain the functions of these three functions in turn.

ldap_connect: used to connect to the ldap database, the format is as follows

$server = “localhost”

$LDAPCONN=LDAP_Connect($server)

If $ The return value of LDAPCONN is a numeric type. When the return result is 0, the connection fails, and when the return result is other values, the connection succeeds.

ldap_set_option($link_identifier,$option, &$retval): Receives three parameters

$link_identifier

The LDAP connection identifier returned by the ldap_connect() function (determines LDAP Whether the connection is successful)

$option can receive the following values:

LDAP_OPT_DEREF(int): How to handle aliases when searching, the value range is as follows: LDAP_DEREF_NEVER(0, default value), LDAP_DEREF_SEARCHING (1), LDAP_DEREF_FINDING(2), LDAP_DEREF_ALWAYS(3)

LDAP_OPT_NETWORK_TIMEOUT(int): Network timeout seconds, LDAP_NO_LIMIT(0, default value) means never timeout.

LDAP_OPT_PROTOCOL_VERSION(int): Specifies the LDAP protocol version used, the value range is as follows: LDAP_VERSION2 (2, default value), LDAP_VERSION3 (3).

LDAP_OPT_REFERRALS(bool): Whether the LDAP library automatically follows the references returned by the LDAP server. The value range is as follows: TRUE (1, default value), FALSE (0).

&$retval A variable that accepts option values

For example, the code in bwapp:

ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION, 3);

This sentence The meaning of the code is that if the ldap connection is successful, then specify the protocol used by LDAP as version 3. (No need to go into detail here, all are applicable formats)

ldap_bind($link_identifier,$bind_rdn,$bind_password)

$link_identifier: LDAP connection identifier returned by the ldap_connect() function (determine LDAP Whether the connection is successful)

$bind_rdn: Use the specified rdn, that is, the login path, such as cn=admin,dc=bwapp,dc=local

$bind_password: Specify the login password.

ldap_search($link_identifier, $dn,$filter): LDAP directory search function, successfully returns the resource descriptor of a result set, which is usually referenced by other functions as $result_identifier, and returns FALSE on failure.

$link_identifier: LDAP connection identifier returned by the ldap_connect() function (to determine whether the connection is successful)

$dn: DN of the directory to be searched

$filter: Search filters. For example, "(objectClass=*)" means to search all entries (for the read function, it means all attributes).

Source code in bwapp: ldap_search($ds, $dn,$filter), where $ds=ldap_connect(),

$dn=”DC=bwapp,DC=local”, $filter=(cn=*) (that is, all ranges of cn). These three parameters indicate that the ldap_search function indicates that all directories of the current server are queried (relative to bwapp).

ldap_count_entries($link_identifier,$search): Returns the number of query results

$link_identifier: The LDAP connection identifier returned by the dap_connect() function (to determine whether the connection is successful)

$search:= ldap_search($link_identifier, $dn, $filter) returns the result set of the query.

At this point, the function has almost been analyzed. Let us outline the general idea of ​​this connection file.

From lines 149 to 163, the code determines whether the various values ​​obtained are empty. If they are empty, a prompt message is thrown.

Lines 165 to 198 are used to determine whether the login is successful. Lines 165 to 184 are used to determine whether the ldap service exists. Lines 187 to 198 are used to determine whether there is a distinction. name (equivalent to database name).

From line 200 to line 236 is to determine whether the corresponding dn exists, that is, whether the corresponding ldap path exists. If it does not exist, the corresponding prompt message will be thrown. If it exists Call ldapi.php, which is the ldap query. After getting the query results in ldapi, the results are output as a table.

Introduction to the php file of LDAP query results

The place where the table is output is in the ldapi.php file. Next, look at the code in ldapi.php.

Start directly from line 231. From line 231 to line 240 are all mentioned above. Bind the LDAP directory. The code is as follows. If you don’t understand, you can take a look at the LDAP binding above. Part

If the LDAP directory is successfully bound, the query will start. The query code starts from line 242

From receiving the value of the POST parameter user to establishing an alias ($search_field_1, $search_field_2, $search_field_3), specifying the filter ($filter) (the filter is a query statement, similar to a sql statement), the syntax rules are as follows:

Equal sign = Create a request for a certain The field must have a filter for the given value. ##Any ##Brackets ( ) Separate filters to allow other logical operators to work. & ## or | Combined filters. At least one condition in the corresponding series must be true. Exclude all objects that match the filter criteria. ##

Return all objects that may cause loading problems:

objectClass=*

Return all user objects specified as "person":

(&(objectClass =user)(objectCategory=person))

Return only mailing lists:

(objectCategory=group)

Return only public folders:

(objectCategory=publicfolder)

Returns all user objects, but excludes user objects whose primary email address begins with "test":

(&(&(objectClass=user)(objectCategory=person ))(!(mail=test*)))

Return all user objects except those whose primary email address ends with "test":

(&(&(objectClass =user)(objectCategory=person))(!(mail=*test)))

Returns all user objects, but excludes those whose primary email address contains the word "test":

(&(&(objectClass=user)(objectCategory=person))(!(mail=*test*)))

Return all files specified as "person" and belong to a certain group Or assign a list of all user objects and alias objects:

(|(&(objectClass=user)(objectCategory=person))(objectCategory=group))

Returns all objects specified as " person" user object, all group objects, and all contacts, but exclude any object whose value is defined as "extensionAttribute9":

(&(|(|((&(objectClass=user)(objectCategory =person))(objectCategory=group))(objectClass=contact))(!(extensionAttribute9=*)))

Return all DN (CN=GRoup,OU=Users,DC=Domain,DC) identification Users who are group members:

(&(objectClass=user)(objectCategory=person)(memberof=CN=Group,CN=Users,DC=Domain,DC=com))

Return all users:

Microsoft®Active Directory® LDAP Server: (&(objectCategory=person)(objectClass=user))

OpenLDAP™ Server: (objectClass=inetOrgPerson)

IBM® Notes®Domino LDAP Server: (objectClass=dominoPerson)

Search IBM Notes Domino LDAP for all objects whose email address is defined as "person" or "group":

(&(|(objectClass=dominoPerson)(objectClass=dominoGroup)(objectClass=dominoServerMailInDatabase))(mail=*))

ActiveDirectory: Returns all valid (not deactivated) users with email addresses:

(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Return to all groups Group DN identifies users who are members of Group_1 or Group_2.

(&(objectClass=user)(objectCategory=person)(|(memberof=CN=Group_1,cn=Users,DC=Domain,DC=com)(memberof=CN=Group_2,cn=Users, DC=Domain,DC=com)))

Return all users whose extensionAttribute1 value is "Engineering" or "Sales"

(&(objectCategory=user)(|(extensionAttribute1=Engineering) (extensionAttribute1=Sales)))

The syntax rules are introduced, and then the code starting from 267 is analyzed

##$ldap_fields_to_find defines an array to facilitate Print the output form and receive the results of the ldap query. Use $ldap_fields_to_find as the fourth parameter of the ldap_search function, which means using this alias to save the received results, that is, in the form of key-value pairs, and then return the results to the $info array. , and finally map each key to each variable from row 287 to row 291, and finally loop the output and print the table. At this point, the query is completed.

A brief introduction to LDAP injection splicing syntax

Since the LDAP filter is similar to the SQL query statement, just look at how to write the filter in bwapp. Look directly at the $filter variable in the ldapi.php file:

$filter="(|($search_field_1=$search_for)($search_field_2=$search_for)($search_field_3=$search_for))";

The essence of the sql statement lies in splicing single quotes, and the essence of the ldap statement lies in splicing parentheses.

Now I want to query all users, just enter * directly in user, then $filter will become $filter="(|($search_field_1=*)($search_field_2=*)($ search_field_3=*))";

Look at the results in bwapp

returned a lot of users but not enough, because I want to see my administrator , then I will construct such an LDAP filter.

$filter="(|($search_field_1=*)(objectclass=*)($search_field_2=*)($search_field_3=*))";

So I can query all For users, including administrators, objectclass=* means to search as long as it exists, that is, globally.

Then enter *)(objectclass=* at user.

Look at the result. The administrator appears and the injection is successful.

#Operator	Character	Use
*	represents a field that can be equal to any value except NULL.
		## Combine filters with
. All conditions of the corresponding series must be true.
	##Non	!

The above is the detailed content of How to conduct range practice with bee-box LDAP injection. For more information, please follow other related articles on the PHP Chinese website!