11 years ago
0
Hi All,
Everyone who completed this level. Please provide your hints over here.
oh shit, now i need to do some more reading to finish this one :(
did some reading on LDAP before, basic stuff but no exploitation though.
I Hate Signatures.
11 years ago
0
I don’t think this level has anything to do with LDAP injection. I’ve tried like 30 injections but still unable to get through.
We need to find a way to break the syntax and get error messages….. no luck though, it might be blind LDAP injection…..
/dev/null
My guess is to guess the real name variable (assuming it’s LDAP injection). I’ve tried realname, real_name and real-name. No luck!
/dev/null
I tried the same DC with no luck, I tried other alternatives too. This one is quite challenging :/ I should be working too lol
I would love to change the world, but they won’t give me the source code.
To tell the truth my first though about this level was xpath exploit/ xml login…
did try few things on that, got a different error msg (something like: syntax error or invalid query).
tried few with LDAP yet with no result.
will try some more when im done reading with LDAP.
I Hate Signatures.
11 years ago | edited 11 years ago
0
Don’t try these cause I’ve already tried it and few more which are not mentioned over here.
[spoiler]user=)(uid=))(|(uid=
user=)(|(password=))
smurphy)(|(password=))
sandram)(|(password=))
smurphy)(uid=smurphy)(|(uid=smurphy
sandramurphy)(uid=sandramurphy)(|(uid=sandramurphy
sandram)(uid=sandram)(|(uid=sandram
sandra_murphy)(uid=sandra_murphy)(|(uid=sandra_murphy
sandy)(uid=sandy)(|(uid=sandy
)(uid=)(|(uid=
murphy)(uid=murphy)(|(uid=murphy
sandra)(uid=sandra)(|(uid=sandra
user)(uid=)
user)(uid=))(|(uid=
samurphy)(uid=samurphy)(|(uid=samurphy
sanmurphy)(uid=sanmurphy)(|(uid=sanmurphy
(&(user=)(pass=))
(&(user=)(&))(pass=))
user=)(cn=))%00&pass=whatever
user=san)(cn=san))(|(cn=san
user=mur)(cn=mur))(|(cn=mur
user=s)(cn=s))(|(cn=s
I’m more thinking along the lines of *)(realname=Sandra Murphy - but that didn’t work for me. Shouldn’t we guess the ‘realname’ parameter in the LDAP?
/dev/null
Off-topic - The spoiler tag still exists you just have to manually type it as the wiziwig forgot about it, and you can only open it not close, these have been noted.
>> Meow
Folding@Home Stats | Official Thread | Team Number: 223679
11 years ago
0
If the real name is Sandra Murphy then the display name would be the same I guess. But login IDs cannot use spaces I believe so the username should be something like sandram or smurphy or something. But its not possible to guess the username it could be anything. In my office the LDAP uses altogether a different ID which is no where related to my name. And I have even tried the * but its not working. Need to do some more digging I guess in LDAP.
I Hate Signatures.
Thank you very much @ADIGA ;)
Edit: Added spoiler tags.
11 years ago
0
Wooa, I am not a programmer not even remotely. Guess I’ll have to do some more researching.
Not much research is needed. Infact
was able to help me. When I said programmer’s persepective, you need to understand how everything works in the code. =)
A hint has been added to the level. I need to double check its accuracy as I wrote it from memory but it will certainly nudge people in the right direction.
hahaha, after 40 attempts still no answer ….
treated it as an xpath injection, did some inputs that would return true for the username and would return true as real name of sandra… still no luck … this must be a very specific input for it to be accepted :(
tried with both single quote and dbl quote ….
im glad im almost balled or i would have pulled my hair out ..
I Hate Signatures.
why every query i try is able to login to another user and what ever i change it still the same user not Sandra Murphy ? can someone help me out in this ?
If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison
11 years ago
0
Hey roun512,
Please post the query that you are using.
If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison
11 years ago
0
Hey roun512,
Not the complete but at least the end part perhaps.
I Hate Signatures.
11 years ago
0
I’ve finally solved it…………………………… Now I can Rest In Peace
Keeper, the answer is found in google in the first 3 results when you search for the right thing … only minor change to the code in it needs to be made, and with falbby’s hint… its bulls eye for anyone who knows only a bit about programing logic.
I Hate Signatures.
11 years ago | edited 11 years ago
0
ColdIV was so right. Why didn’t I think about it before. Why was I thinking so much that I ruled out the obvious. The answer was in front of me this whole time now that I see once I have completed it. Now a small change to the code and thats it you are done with the level.
I can’t believe it!, I must have tried the correct thing a load of times :@ just in the wrong place lol never mind finally done :D
I would love to change the world, but they won’t give me the source code.
its somewhat simple
lets take an example of an sql database
it has 3 fields
username password realname
the login script may work with the query “select * from users where usernam=‘username’ and password=‘password’”
in case of an sql injection, you can change almost the whole query, as you do not have to use 1=1–…
the answer for this level is almost the same, find the bug type and try changing what it does (query) to include the real name field with the name you want to login with.
I Hate Signatures.
11 years ago
0
However it’s more easy with a computer ^^
@tlotr: You should close this thread because it’s getting loo long. Anyone who has question can create their own thread.