How to configure the environment for bee-box LDAP injection

1. Overview

According to my learning process, I must know what the model and vulnerability principles of my web attack are. Now I have encountered an unpopular situation. I saw it for the first time. When I came to LDAP, I discovered an unpopular one (authorized) during a penetration test of a state-owned enterprise, which aroused my interest in it.

The concept of LDAP:

Full name: Lightweight Directory AccessProtocolt, Features: I won’t talk about the protocol, it’s too esoteric, it can be understood as a The database that stores data is special in that it is a tree-like database. First of all, the name of this database is equivalent to the root of the tree (i.e. DB = dc), and then all the nodes passing through from the root of the tree to a certain leaf node are called Branches (ou) and finally reaches the leaf node (uid) you are looking for. As shown in the figure below:

To be more specific, name each node and go through the diagram again, dc= root, fork 1 ou = database, fork 2 ou= mysql, leaf node uid = user.

Then describe it in language: dn:cn =user,ou = database,ou = mysql,dc = root

dn identifies a record and describes it A detailed path of data is obtained, which is called "base DN". Through this record, a leaf node can be found conveniently and quickly. From the figure, LDAP can clearly divide the node area, that is, what is the parent node of the node, what are the child nodes, and extended to practical applications, what is the superior department of the department, and who are the employees of the department? , if used internally by the enterprise, it can clearly describe where each employee belongs.

Let’s first look at a case of server segment configuration:

Assume that the name of a company is bwapp, and the CEO who manages this company is called admin.

Now the CEO wants to add a new department to the company, called the security department (anquanbu). Under the security department is the security department (anfu). The security department is divided into penetration testing (sentou) and emergency response. (yingji) two teams, then Xiaoliang (xiaoliang) is in the infiltration team, and Xiaoming (xiaoming) is in the emergency team.

The configured directory structure is as shown below

2. LDAP configuration based on Bee-Box (Linux)

First find A relatively easy to configure LDAP architecture, OpenLDAP phpLDAPadmin is recommended here.

The steps are as follows:

First enter the following two installation commands:

sudo apt-getupdate

sudo apt-getinstall slapd ldap-utils

During the installation process, you will be asked to select and confirm the LDAP administrator password

sudodpkg-reconfigure slapd

This command needs to configure some ldap things. The following is a comparison between Chinese and English And screenshot

1. OpenLDAP server configuration is omitted? No

2. DNS domain name?

This option will determine the basic structure of the directory path. Read the message to find out how this will be achieved. Even if you don't own the actual domain, you can choose any value you want. However, this tutorial assumes you have the appropriate server domain name, so you should use that. Here for the bwapp shooting range, set it to bwapp.local

3. Organization name?

We use bwapp

4. Administrator password? Enter the security password twice

5. Database backend? HDB

#5. Delete the database when clearing slapd? No

#6. Move the old database? Yes

#7. Allow LDAPv2 protocol? No

At this point the initial configuration is complete, open the LDAP port on the firewall so that external clients can connect:

sudo ufw allow ldap

Test whether the LDAP connection to ldapwhoami is successful, the connection should return the username we connected to:

ldapwhoami -H ldap:// -x

Access the phpLDAPadmin of the virtual machine from the host

https://virtual machine IP /phpldapadmin/

Enter the password to log in.

Login successful

Then the configuration on the server is as follows

The following configuration They are all translated into Chinese using the Google Translate plug-in.

First create the security department:

Select the organizational unit

Create the object

Then create the sub-department of the security department, security (anfu)

Create the sub-department Entry

The steps are the same as above

Created successfully

Then create penetration (shentou) and emergency (yingji) under the security server

The steps are the same as above

Create employees Li Xiaoliang (xiaoliang) and Wang Xiaoming (xiaoming) for penetration (shentou) and emergency (yingji) respectively

The steps to create personnel are as follows. The above are the steps to create organizational departments.

First create the user account xiaoliang under the penetration group

phpMyAdmin. To create a user, you need to create a user group first. If there is no There is no way to create users in this user group. The process of creating a user group is as follows:

Create sub-entry

Create user group

Then create a user under the user group

##The creation is successful, but it is very annoying to need to enter the user's last name. Then you need to rename the user after creating the user.

The renaming steps are as follows

Click the username on the left and click rename on the right

Modification successful

3. Test whether it can communicate with bwapp

Open the ldap injection option of bwapp and enter content similar to the following picture:

If the connection is successful, the following interface will be returned

Note: If an ldap account is created, the login format must be certain It is like this:

cn=xiaoliang,cn=user,ou=shentou,ou=anfu,ou=anquanbu,dc=bwapp,dc=local

Then log in

The above is the detailed content of How to configure the environment for bee-box LDAP injection. For more information, please follow other related articles on the PHP Chinese website!