LDAP Injection
LDAP Injection
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
LDAP Injection
LDAP
If you want to know what is LDAP access the following page:
LDAP Injection is an attack targeting web applications that construct LDAP statements from user input. It occurs when the application fails to properly sanitize input, allowing attackers to manipulate LDAP statements through a local proxy, potentially leading to unauthorized access or data manipulation.
Filter = ( filtercomp ) Filtercomp = and / or / not / item And = & filterlist Or = |filterlist Not = ! filter Filterlist = 1*filter Item= simple / present / substring Simple = attr filtertype assertionvalue Filtertype = '=' / '~=' / '>=' / '<=' Present = attr = * Substring = attr ”=” [initial] * [final] Initial = assertionvalue Final = assertionvalue (&) = Absolute TRUE (|) = Absolute FALSE
For example:
(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))
You can access to the database, and this can content information of a lot of different types.
OpenLDAP: If 2 filters arrive, only executes the first one. ADAM or Microsoft LDS: With 2 filters they throw an error. SunOne Directory Server 5.0: Execute both filters.
It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.
The filter has to start with: &
or |
Example: (&(directory=val1)(folder=public))
(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = *)(ObjectClass=*))(&(objectClass=void
Then: (&(objectClass=
*)(ObjectClass=*))
will be the first filter (the one executed).
Login Bypass
LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
Lists
Blind LDAP Injection
You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:
Dump data
You can iterate over the ascii letters, digits and symbols:
Scripts
Discover valid LDAP fields
LDAP objects contains by default several attributes that could be used to save information. You can try to brute-force all of them to extract that info. You can find a list of default LDAP attributes here.
Special Blind LDAP Injection (without "*")
Google Dorks
More Payloads
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
Last updated