Proof-of-Concept tool for CVE-2021-29156, an LDAP injection vulnerability in ForgeRock OpenAM v13.0.0.

Overview

CVE-2021-29156 Proof-of-Concept

(c) 2021 GuidePoint Security Charlton Trezevant [email protected]

Background

Today GuidePoint is pleased to release a functional Proof-of-Concept tool for CVE-2021-29156, an LDAP injection vulnerability in ForgeRock OpenAM v13.0.0. This vulnerability allows an attacker to extract a variety of information (such as a user’s password hash) from vulnerable OpenAM servers using a character-by-character brute force attack.

Usage

To use this tool, simply adjust the baseURL, proxy, and user variables and run the script.

By default, this tool is configured to extract the password hash of the amAdmin user. As valid characters are discovered, the password hash string will be displayed in the console. Further adjustments may be made to the LDAP injection payloads if exfiltration of other data from the OpenAM instance is desired.

Additional Resources

For a more in-depth look at this vulnerability, PortSwigger has an excellent writeup of the exploit itself and its theory of operation.

You might also like...
Detect and fix log4j log4shell vulnerability (CVE-2021-44228)

log4fix This tool is to detect and fix the log4j log4shell vulnerability (CVE-2021-44228) by looking and removing the JndiLookup class from .jar/.war/

Discover and remediate Log4Shell vulnerability [CVE-2021-45105]

sakuraji_log4j This tool is used to discover and remedidate the Log4Shell vulnerability [CVE-2021-45105] by removing the 'JndiLookup.class' file from

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

ZipExec ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded i

Proof of concept microservices webportal and GRPC clients w/ multiDB support

Proof of concept microservices Webportal using Hero templates and websockets GRP

Go poc - Golang proof of concept

quickstart tar -zxvf go1.17.6.linux-amd64.tar.gz -C ~/tools/ echo "export PATH=

Ssh-lxd - A proof of concept for an ssh server that spawns a bash session inside a LXD container

SSH LXD A proof of concept for an ssh server that spawns a bash session inside a

CVE-2021-21978 exp
CVE-2021-21978 exp

CVE-2021-21978 CVE-2021-21978 RCE exp 影响版本 VMware View Planner Harness 4.X 与 CVE-2021-21978 类似,该漏洞可以在未授权访问的情况下,上传任意文件,并通过修改自带 py 脚本实现远程代码执行。

CVE-2021-26855 exp
CVE-2021-26855 exp

CVE-2021-26855 CVE-2021-26855 ssrf 简单利用 golang 练习 影响版本 Exchange Server 2013 小于 CU23 Exchange Server 2016 小于 CU18 Exchange Server 2019 小于 CU7 利用条件 该漏洞不

CVE-2021-26855 exp

CVE-2021-26855 CVE-2021-26855 ssrf 简单利用 golang 练习 影响版本 Exchange Server 2013 小于 CU23 Exchange Server 2016 小于 CU18 Exchange Server 2019 小于 CU7 利用条件 该漏洞不

Comments
  • the script not work

    the script not work

    Hello, thank you for your effort to make this script, I got an error concerned the proxy, I run the script but I got a messy stdout in my bash console see the screenshot below.

    and here is the error log I got, x509: certificate signed by unknown authority^C Screen Shot 2022-06-07 at 8 21 23 PM

    please how I can solve the issue ? thank you.

    opened by medxpy 4
Owner
GuidePoint Security, LLC
GuidePoint Security, LLC
vRealize RCE + Privesc (CVE-2021-21975, CVE-2021-21983, CVE-0DAY-?????)

REALITY_SMASHER vRealize RCE + Privesc (CVE-2021-21975, CVE-2021-21983, CVE-0DAY-?????) "As easy to stop as it is to comprehend." What is it? "Reality

rabid 36 Nov 9, 2022
A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.

PewSWITCH A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157. Related blog: https://0xinfection.github.io/p

Pinaki 24 Nov 2, 2022
Poc-cve-2021-4034 - PoC for CVE-2021-4034 dubbed pwnkit

poc-cve-2021-4034 PoC for CVE-2021-4034 dubbed pwnkit Compile exploit.go go buil

Daniele Linguaglossa 96 Nov 9, 2022
CVE-2021-4034 - A Golang implementation of clubby789's implementation of CVE-2021-4034

CVE-2021-4034 January 25, 2022 | An00bRektn This is a golang implementation of C

Ryan S. 10 Feb 3, 2022
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

dw1 142 Nov 10, 2022
Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

log4shell.tools log4shell.tools is a tool allows you to run a test to check whether one of your applications is affected by a vulnerability in log4j:

Alexander Bakker 66 Nov 2, 2022
Confluence OGNL Injection [CVE-2021-26084].

CVE-2021-26084 this is a script written in golang to exploit Confluence OGNL Injection [CVE-2021-26084]. git clone https://github.com/march0s1as/CVE-

gv1_ 7 Apr 23, 2022
CVE-2021-26084 - Confluence Server Webwork OGNL injection (Pre-Auth RCE)

CVE-2021-26084 Proof of concept for CVE-2021-26084. Confluence Server Webwork OGNL injection (Pre-Auth RCE) Disclaimer This is for educational purpose

Tay 8 Nov 9, 2022
Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS

log4j-scanner Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS. Example Usage Usage .\log4j-scanner.exe Terminal is used to output resul

null 0 Dec 13, 2021
Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability (CVE-2021-44228)

scan4log4shell Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability CVE-2021-4

Frank Hübner 12 Sep 17, 2022