LDAP Injection


Overview

LDAP injection attempts to input snippets of LDAP script into an application that passes the input to an LDAP server. The attack takes advantage of the trust the LDAP server has in the application The attack executes on the LDAP server using the application account

LDAP injection allows an attacker to bypass access controls on LDAP data stores. This may result in data disclosure. Depending on how the application interprets the data extracted, LDAP injection may result in authentication or authorization bypass or other logical vulnerabilities.

YouTubeVideo Tutorials

Discovery Methodology

Ideally, attempt to fuzz input fields to cause error message. For example, injection of "(" produces an error. Even if system does not display an explicit message, injection may cause a change detectable with differential analysis
  • Additional or missing output
  • Failure to function as expected
  • Faster or slower response times aka Time-Delay Inference
LDAP String reserved characters are defined in RFC 4514: String Representation of Distinguished Names at www.ietf.org/rfc/rfc4514.txt. RFC 4514 states "The following characters need escaping". Therefore, they make excellent values for fuzzing.
  • Space (' ' U+0020)
  • Number sign ('#' U+0023)
  • Double-quote, plus, comma, semi-colon, less-than, greater-than, backslash
  • Null (U+0000)
These characters can be placed into a file with the following Python code
python -c 'for i in [0x20,0x23,0X22,0X2B,0X2C,0X3B,0X3C,0X3E,0x5C,0x00]:print(chr(i))' > /tmp/injections.txt

Exploitation

Similar to SQL injection, there is no particular pattern that will work. It depends on the code implemented by the application. The correct injection to use may not be obvious. Error message do not always disclose query or search logic. Learning common design patterns helps know which injections might work. The following general patterns apply to many applications.

If there is no logic operator (OR or AND), the bolded injections may work assuming they fit into the assumed application code segments (non-bolded parts)
  • (attribute=*)
  • (attribute=value)(attribute2=*)
If there is an "OR" logic operator, the bolded injections may work assuming they fit into the assumed application code segments (non-bolded parts)
  • (|(attribute1=*)(second_filter))
  • (|(attribute=whatever)(attribute2=*)(second_filter))
  • (|(attribute=*)(attribute2=*))(&(1=0)(second_filter))
If there is an "AND" logic operator, the bolded injections may work assuming they fit into the assumed application code segments (non-bolded parts)
  • (&(attribute1=*)(second_filter))
  • (&(attribute=whatever)(attribute2=*)(second_filter))
  • (&(attribute=*)(attribute2=*))(&(1=0)(second_filter))
The following injections work in Mutillidae Conference Room Lookup page
  • *
  • value)(cn=*
  • *)(whatever=*)(&(1=0)(1=1)

Videos