Home > Article > Operation and Maintenance > How to conduct range practice with bee-box LDAP injection
If the essence of sql injection is splicing strings, then the essence of everything that can be injected is splicing strings. LDAP injection is no exception as a kind of injection. What is more interesting is that it is splicing parentheses ( SQL injection also concatenates parentheses, but it is more conventional to say that it concatenates strings).
In the environment configuration chapter, the configuration of the ldap environment in bee-box has been discussed in detail. The shooting range practice chapter is more about the connection process between php and ldap, and the introduction of the special functions used in the middle. Some tips for splicing parentheses.
Let’s first talk about the login process of the ldap shooting range in bwapp:
First of all, this is an LDAP login interface, the URL is http:/ /192.168.3.184/bWAPP/ldap_connect.php, take a look at what is written in this php file.
#Starting from the code of 133 of the ldap_connect.php file, the five variables are $message, $login, $ password, $server, $dn.
What is the first of these five variables used for? The second is the username to log in to the ldap server, the third is the password, the fourth is the server address, and the fifth is the distinguished name (describe one full LDAP path).
The first if statement is to clear the login LDAP form, and the second if statement is to determine whether the five variables are null values. These are all trivial matters. The key point is the following else. From this else At the beginning, there are multiple if and else statements. Let’s go one by one.
First look at the three functions ldap_connect, ldap_set_option, and ldap_bind before the first if, and explain the functions of these three functions in turn.
ldap_connect: used to connect to the ldap database, the format is as follows
$server = “localhost”
$LDAPCONN=LDAP_Connect($server)
If $ The return value of LDAPCONN is a numeric type. When the return result is 0, the connection fails, and when the return result is other values, the connection succeeds.
ldap_set_option($link_identifier,$option, &$retval): Receives three parameters
$link_identifier
The LDAP connection identifier returned by the ldap_connect() function (determines LDAP Whether the connection is successful)
$option can receive the following values:
LDAP_OPT_DEREF(int): How to handle aliases when searching, the value range is as follows: LDAP_DEREF_NEVER(0, default value), LDAP_DEREF_SEARCHING (1), LDAP_DEREF_FINDING(2), LDAP_DEREF_ALWAYS(3)
LDAP_OPT_NETWORK_TIMEOUT(int): Network timeout seconds, LDAP_NO_LIMIT(0, default value) means never timeout.
LDAP_OPT_PROTOCOL_VERSION(int): Specifies the LDAP protocol version used, the value range is as follows: LDAP_VERSION2 (2, default value), LDAP_VERSION3 (3).
LDAP_OPT_REFERRALS(bool): Whether the LDAP library automatically follows the references returned by the LDAP server. The value range is as follows: TRUE (1, default value), FALSE (0).
&$retval A variable that accepts option values
For example, the code in bwapp:
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION, 3);
This sentence The meaning of the code is that if the ldap connection is successful, then specify the protocol used by LDAP as version 3. (No need to go into detail here, all are applicable formats)
ldap_bind($link_identifier,$bind_rdn,$bind_password)
$link_identifier: LDAP connection identifier returned by the ldap_connect() function (determine LDAP Whether the connection is successful)
$bind_rdn: Use the specified rdn, that is, the login path, such as cn=admin,dc=bwapp,dc=local
$bind_password: Specify the login password.
ldap_search($link_identifier, $dn,$filter): LDAP directory search function, successfully returns the resource descriptor of a result set, which is usually referenced by other functions as $result_identifier, and returns FALSE on failure.
$link_identifier: LDAP connection identifier returned by the ldap_connect() function (to determine whether the connection is successful)
$dn: DN of the directory to be searched
$filter: Search filters. For example, "(objectClass=*)" means to search all entries (for the read function, it means all attributes).
Source code in bwapp: ldap_search($ds, $dn,$filter), where $ds=ldap_connect(),
$dn=”DC=bwapp,DC=local”, $filter=(cn=*) (that is, all ranges of cn). These three parameters indicate that the ldap_search function indicates that all directories of the current server are queried (relative to bwapp).
ldap_count_entries($link_identifier,$search): Returns the number of query results
$link_identifier: The LDAP connection identifier returned by the dap_connect() function (to determine whether the connection is successful)
$search:= ldap_search($link_identifier, $dn, $filter) returns the result set of the query.
At this point, the function has almost been analyzed. Let us outline the general idea of this connection file.
From lines 149 to 163, the code determines whether the various values obtained are empty. If they are empty, a prompt message is thrown.
Lines 165 to 198 are used to determine whether the login is successful. Lines 165 to 184 are used to determine whether the ldap service exists. Lines 187 to 198 are used to determine whether there is a distinction. name (equivalent to database name).
From line 200 to line 236 is to determine whether the corresponding dn exists, that is, whether the corresponding ldap path exists. If it does not exist, the corresponding prompt message will be thrown. If it exists Call ldapi.php, which is the ldap query. After getting the query results in ldapi, the results are output as a table.
The place where the table is output is in the ldapi.php file. Next, look at the code in ldapi.php.
Start directly from line 231. From line 231 to line 240 are all mentioned above. Bind the LDAP directory. The code is as follows. If you don’t understand, you can take a look at the LDAP binding above. Part
If the LDAP directory is successfully bound, the query will start. The query code starts from line 242
From receiving the value of the POST parameter user to establishing an alias ($search_field_1, $search_field_2, $search_field_3), specifying the filter ($filter) (the filter is a query statement, similar to a sql statement), the syntax rules are as follows:
#Operator | Character | Use |
---|---|---|
= | Create a request for a certain The field must have a filter for the given value. | |
* | represents a field that can be equal to any value except NULL. | ##Brackets |
Separate filters to allow other logical operators to work. | ## Combine filters with | |
. All conditions of the corresponding series must be true. | ## or | | |
##Non | ! | |
## |
The above is the detailed content of How to conduct range practice with bee-box LDAP injection. For more information, please follow other related articles on the PHP Chinese website!