Lightweight Contact Book
While enumerating this I found that you can dump the database using ‘*’, which means it’s probably LDAP
To confirm, we can try some injection
LDAP indeed. So how do we exploit this? Well, there was a hint when trying to recover the administrator’s account
So there’s a description field in the database that we haven’t uncovered yet. Fortunately, we can use wildcards to try and uncover the password from that field
It works like this
administrator)(description=a*
if the value in the description field starts with ‘a’, then it will return the public data. If not, then it wont. So we can bruteforce this.
Correct:
Incorrect:
You could go through this by hand, checking each character and eventually get it, or you can script it. I took the latter option
Log in with administrator:very_secure_hacktivity_pass