Lightweight Contact Book

less than 1 minute read

img

img

While enumerating this I found that you can dump the database using ‘*’, which means it’s probably LDAP

img

To confirm, we can try some injection

img

LDAP indeed. So how do we exploit this? Well, there was a hint when trying to recover the administrator’s account

img

So there’s a description field in the database that we haven’t uncovered yet. Fortunately, we can use wildcards to try and uncover the password from that field

It works like this

administrator)(description=a*

if the value in the description field starts with ‘a’, then it will return the public data. If not, then it wont. So we can bruteforce this.

Correct:

img

Incorrect:

img

You could go through this by hand, checking each character and eventually get it, or you can script it. I took the latter option

img

img

Log in with administrator:very_secure_hacktivity_pass

img