LDAP Injection

Basic info

LDAP (Lightweight Directory Access Protocol) Injection is a security vulnerability that occurs when user input is improperly sanitized before being used in LDAP queries. Attackers can exploit this vulnerability to bypass authentication, extract sensitive data, or escalate privileges.

LDAP is used to manage and query directory services, such as Active Directory. A typical LDAP query looks like this:

(&(uid=USERNAME)(password=PASSWORD))

If the application fails to properly sanitize user input, an attacker can manipulate the query to gain unauthorized access or extract sensitive information.

LDAP

If you want to know what is LDAP access the following page:

LDAP - Ports 389, 636, 3268, 3269 | VeryLazyTechwww.verylazytech.com

Understanding LDAP Filters

LDAP (Lightweight Directory Access Protocol) uses filters to search for objects within a directory. These filters follow a specific syntax and can be manipulated to bypass authentication or extract information.

LDAP Filter Syntax

A basic LDAP filter follows this structure:

Logical Operators:

• (&) = Absolute TRUE

• (|) = Absolute FALSE

Examples:

LDAP Behavior Across Different Implementations

Different directory servers handle LDAP filters differently:

• OpenLDAP: If multiple filters arrive, only the first one is executed.

• ADAM / Microsoft LDS: Throws an error when multiple filters are sent.

• SunOne Directory Server 5.0: Executes both filters.

It is crucial to use proper syntax when sending LDAP queries to avoid errors. A filter should always start with & or |.

Example:

LDAP Injection for Authentication Bypass

LDAP supports various password storage formats, including plaintext, MD5, SHA, and crypt. If passwords are hashed, direct injection of credentials may not work, but filters can still be manipulated.

Injection Examples

1. Wildcard Authentication Bypass

Using * as a wildcard allows authentication with any user/password combination.

2. Injecting Boolean Logic to Always Return True

This forces a query that evaluates to TRUE, bypassing authentication.

3. Forced Admin Login

Since (|) is always FALSE, the password check is bypassed.

4. Null Injection to Terminate Queries

Adding %00 (null byte) prematurely terminates the query, potentially bypassing authentication checks.

Blind LDAP Injection

Boolean-Based Blind Injection

By forcing TRUE/FALSE responses, attackers can infer the existence of valid users:

If the object exists, information is retrieved. Otherwise, no data is returned.

Extracting Data Character by Character

By iterating through ASCII characters, attackers can brute-force credentials or other sensitive attributes.

Automating LDAP Exploitation

Discovering Valid LDAP Attributes

A script can brute-force attribute names to extract available fields:

Blind Injection Without Wildcards

If * is blacklisted, a character-by-character brute-force method can be used:

Finding Vulnerable Applications with Google Dorks

Attackers can use search queries to find exposed LDAP management interfaces:

LDAP Injection is a critical vulnerability that allows attackers to manipulate directory queries, bypass authentication, and extract sensitive data. Proper input validation, escaping special characters, and enforcing least privilege access controls are essential to mitigating these attacks.

Lists

• LDAP_FUZZ

• LDAP Attributes

• LDAP PosixAccount attributes

• LDAP attributes

• LDAP workflow