Werezwolf Posted February 3, 2015 Share Posted February 3, 2015 Sorry if i posted this in the wrong place but i dident see anthing about Active Directory or Security Questions But has anyone used Active Directory as their User Database? Has anyone even tryed braking Active Directory with injection attacks? Notes that i have found so far: Php Sends to CMD first so encode userdata in base64 as a transport layer $rand is a random number to prevent users from useing Success: as a ligitimate user You will need to clean up the many many spaces that powershell sends back as it is a concole Special Charicters dont need to be escaped I am using Win 2008 RC2 Apache PHP (of course) Powershell Active Directory PHP Script $psScriptPath = 'C:/Apache/PSScripts/' //Path outside Website Root $rand = mt_rand(mt_getrandmax(),mt_getrandmax()); //UTF-8 Standard only $username = utf8_decode($_POST["username"]); $password = utf8_decode($_POST["password"]); $base64_username = base64_encode($username); //Transport Layer Base64 $base64_password = base64_encode($password); //Transport Layer Base64 //The danger happens here as it is sent to powershell. $query = shell_exec('powershell.exe -ExecutionPolicy ByPass -command "' . $psScriptPath . '" < NUL -rand "' . $rand . '" < NUL -base64_username "' . $base64_username . '" < NUL -base64_password "' . $base64_password . '" < NUL');// Execute the PowerShell script, passing the parameters Powershell Script #*============================================================================= #* Script Name: adpwchange2014.ps1 #* Created: 2014-10-07 #* Author: #* Purpose: This is a simple script that queries AD users. #* Reference Website: http://theboywonder.co.uk/2012/07/29/executing-powershell-using-php-and-iis/ #* #*============================================================================= #*============================================================================= #* PARAMETER DECLARATION #*============================================================================= param( [string]$base64_username, [string]$base64_password, [string]$rand ) #*============================================================================= #* IMPORT LIBRARIES #*============================================================================= if ((Get-Module | where {$_.Name -match "ActiveDirectory"}) -eq $null){ #Loading module Write-Host "Loading module AcitveDirectory..." Import-Module ActiveDirectory }else{ write-output "Error: Please install ActiveDirectory Module" EXIT NUL Stop-Process -processname powershell* } #*============================================================================= #* PARAMETERS #*============================================================================= $username = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64_username)) $password = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64_password)) #*============================================================================= #* INITIALISE VARIABLES #*============================================================================= # Increase buffer width/height to avoid PowerShell from wrapping the text before # sending it back to PHP (this results in weird spaces). $pshost = Get-Host $pswindow = $pshost.ui.rawui $newsize = $pswindow.buffersize $newsize.height = 1000 $newsize.width = 300 $pswindow.buffersize = $newsize #*============================================================================= #* EXCEPTION HANDLER #*============================================================================= #*============================================================================= #* FUNCTION LISTINGS #*============================================================================= Function Test-ADAuthentication { Param($Auth_User, $Auth_Pass) Write-Output "Running Function Test-ADAuthenication" $domain = $env:USERDOMAIN Add-Type -AssemblyName System.DirectoryServices.AccountManagement $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain $pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ct, $domain) $pc.ValidateCredentials($Auth_User, $Auth_Pass).ToString() } #*============================================================================= #* SCRIPT BODY #*============================================================================= Write-Output $PSVersionTable Write-Output " " $authentication = Test-ADAuthentication "$username" "$password" if ($authentication -eq $TRUE) { Write-Output "Success:$rand Authentication" }elseif ($authentication -eq $FALSE) { Write-Output "Failed:$rand Authentication" }else { Write-Output "Error: EOS" EXIT NUL Stop-Process -processname powershell* } #*============================================================================= #* SCRIPT Exit #*============================================================================= Write-Output "End Of Script" EXIT NUL Stop-Process -processname powershell* Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.