Jump to content

Authenticating Against Active Directory

Werezwolf

By Werezwolf
in Miscellaneous

Recommended Posts

Werezwolf Newbie

Werezwolf

Posted
Posted

Sorry if i posted this in the wrong place but i dident see anthing about Active Directory or Security Questions

 

But has anyone used Active Directory as their User Database? Has anyone even tryed braking Active Directory with injection attacks?

 

Notes that i have found so far:

  • Php Sends to CMD first so encode userdata in base64 as a transport layer
  • $rand is a random number to prevent users from useing Success: as a ligitimate user
  • You will need to clean up the many many spaces that powershell sends back as it is a concole
  • Special Charicters dont need to be escaped

I am using

  • Win 2008 RC2
  • Apache
  • PHP (of course)
  • Powershell
  • Active Directory

PHP Script

    $psScriptPath = 'C:/Apache/PSScripts/' //Path outside Website Root

    $rand = mt_rand(mt_getrandmax(),mt_getrandmax());
   
    //UTF-8 Standard only
    $username = utf8_decode($_POST["username"]);
    $password = utf8_decode($_POST["password"]);

    $base64_username = base64_encode($username); //Transport Layer Base64
    $base64_password = base64_encode($password); //Transport Layer Base64

    //The danger happens here as it is sent to powershell.
    $query = shell_exec('powershell.exe -ExecutionPolicy ByPass -command "' . $psScriptPath . '" < NUL  -rand "' . $rand . '" < NUL -base64_username "' . $base64_username . '" < NUL -base64_password "' . $base64_password . '" < NUL');// Execute the PowerShell script, passing the parameters

Powershell Script

#*=============================================================================
#* Script Name: adpwchange2014.ps1
#* Created: 2014-10-07
#* Author:
#* Purpose: This is a simple script that queries AD users.
#* Reference Website: http://theboywonder.co.uk/2012/07/29/executing-powershell-using-php-and-iis/
#* 
#*=============================================================================

#*=============================================================================
#* PARAMETER DECLARATION
#*=============================================================================
param(
[string]$base64_username,
[string]$base64_password,
[string]$rand
)

#*=============================================================================
#* IMPORT LIBRARIES
#*=============================================================================

if ((Get-Module | where {$_.Name -match "ActiveDirectory"}) -eq $null){
	#Loading module
	Write-Host "Loading module AcitveDirectory..."
	Import-Module ActiveDirectory
	}else{
	write-output "Error: Please install ActiveDirectory Module"
	EXIT
	NUL
	Stop-Process -processname powershell*
	}
#*=============================================================================
#* PARAMETERS
#*=============================================================================
$username = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64_username))
$password = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64_password))
	
#*=============================================================================
#* INITIALISE VARIABLES
#*=============================================================================
# Increase buffer width/height to avoid PowerShell from wrapping the text before
# sending it back to PHP (this results in weird spaces).
$pshost = Get-Host
$pswindow = $pshost.ui.rawui
$newsize = $pswindow.buffersize
$newsize.height = 1000
$newsize.width = 300
$pswindow.buffersize = $newsize

#*=============================================================================
#* EXCEPTION HANDLER
#*=============================================================================

#*=============================================================================
#* FUNCTION LISTINGS
#*=============================================================================

    Function Test-ADAuthentication {
		Param($Auth_User, $Auth_Pass)
		Write-Output "Running Function Test-ADAuthenication"
		$domain = $env:USERDOMAIN
		
		Add-Type -AssemblyName System.DirectoryServices.AccountManagement
		$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
		$pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ct, $domain)
		$pc.ValidateCredentials($Auth_User, $Auth_Pass).ToString()
		}

#*=============================================================================
#* SCRIPT BODY
#*=============================================================================
Write-Output $PSVersionTable
Write-Output "	"
$authentication = Test-ADAuthentication "$username" "$password"
if ($authentication -eq $TRUE) {
	Write-Output "Success:$rand Authentication"
	}elseif ($authentication -eq $FALSE) {
	Write-Output "Failed:$rand Authentication"
	}else {
	Write-Output "Error: EOS"
	EXIT
	NUL
	Stop-Process -processname powershell*
	}
	
#*=============================================================================
#* SCRIPT Exit
#*=============================================================================
Write-Output "End Of Script"
EXIT
NUL
Stop-Process -processname powershell*
Link to comment
https://forums.phpfreaks.com/topic/294318-authenticating-against-active-directory/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.