Jump to content

Recommended Posts

Sorry if i posted this in the wrong place but i dident see anthing about Active Directory or Security Questions

 

But has anyone used Active Directory as their User Database? Has anyone even tryed braking Active Directory with injection attacks?

 

Notes that i have found so far:

  • Php Sends to CMD first so encode userdata in base64 as a transport layer
  • $rand is a random number to prevent users from useing Success: as a ligitimate user
  • You will need to clean up the many many spaces that powershell sends back as it is a concole
  • Special Charicters dont need to be escaped

I am using

  • Win 2008 RC2
  • Apache
  • PHP (of course)
  • Powershell
  • Active Directory

PHP Script

    $psScriptPath = 'C:/Apache/PSScripts/' //Path outside Website Root

    $rand = mt_rand(mt_getrandmax(),mt_getrandmax());
   
    //UTF-8 Standard only
    $username = utf8_decode($_POST["username"]);
    $password = utf8_decode($_POST["password"]);

    $base64_username = base64_encode($username); //Transport Layer Base64
    $base64_password = base64_encode($password); //Transport Layer Base64

    //The danger happens here as it is sent to powershell.
    $query = shell_exec('powershell.exe -ExecutionPolicy ByPass -command "' . $psScriptPath . '" < NUL  -rand "' . $rand . '" < NUL -base64_username "' . $base64_username . '" < NUL -base64_password "' . $base64_password . '" < NUL');// Execute the PowerShell script, passing the parameters

Powershell Script

#*=============================================================================
#* Script Name: adpwchange2014.ps1
#* Created: 2014-10-07
#* Author:
#* Purpose: This is a simple script that queries AD users.
#* Reference Website: http://theboywonder.co.uk/2012/07/29/executing-powershell-using-php-and-iis/
#* 
#*=============================================================================

#*=============================================================================
#* PARAMETER DECLARATION
#*=============================================================================
param(
[string]$base64_username,
[string]$base64_password,
[string]$rand
)

#*=============================================================================
#* IMPORT LIBRARIES
#*=============================================================================

if ((Get-Module | where {$_.Name -match "ActiveDirectory"}) -eq $null){
	#Loading module
	Write-Host "Loading module AcitveDirectory..."
	Import-Module ActiveDirectory
	}else{
	write-output "Error: Please install ActiveDirectory Module"
	EXIT
	NUL
	Stop-Process -processname powershell*
	}
#*=============================================================================
#* PARAMETERS
#*=============================================================================
$username = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64_username))
$password = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64_password))
	
#*=============================================================================
#* INITIALISE VARIABLES
#*=============================================================================
# Increase buffer width/height to avoid PowerShell from wrapping the text before
# sending it back to PHP (this results in weird spaces).
$pshost = Get-Host
$pswindow = $pshost.ui.rawui
$newsize = $pswindow.buffersize
$newsize.height = 1000
$newsize.width = 300
$pswindow.buffersize = $newsize

#*=============================================================================
#* EXCEPTION HANDLER
#*=============================================================================

#*=============================================================================
#* FUNCTION LISTINGS
#*=============================================================================

    Function Test-ADAuthentication {
		Param($Auth_User, $Auth_Pass)
		Write-Output "Running Function Test-ADAuthenication"
		$domain = $env:USERDOMAIN
		
		Add-Type -AssemblyName System.DirectoryServices.AccountManagement
		$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
		$pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ct, $domain)
		$pc.ValidateCredentials($Auth_User, $Auth_Pass).ToString()
		}

#*=============================================================================
#* SCRIPT BODY
#*=============================================================================
Write-Output $PSVersionTable
Write-Output "	"
$authentication = Test-ADAuthentication "$username" "$password"
if ($authentication -eq $TRUE) {
	Write-Output "Success:$rand Authentication"
	}elseif ($authentication -eq $FALSE) {
	Write-Output "Failed:$rand Authentication"
	}else {
	Write-Output "Error: EOS"
	EXIT
	NUL
	Stop-Process -processname powershell*
	}
	
#*=============================================================================
#* SCRIPT Exit
#*=============================================================================
Write-Output "End Of Script"
EXIT
NUL
Stop-Process -processname powershell*
Link to comment
https://forums.phpfreaks.com/topic/294318-authenticating-against-active-directory/
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.