Data Exfiltration & Blind Exploitation

When LDAP results are rendered, wildcarding attributes can dump broad data. When nothing is rendered, use blind techniques (response-difference) similar to blind SQLi.

Visible Results (Straightforward Exfiltration)

Given a filter like:

(&(uid=admin)(objectClass=account))

Inject wildcard to match all users:

(&(uid=*)(objectClass=account))

Or widen an OR branch:

(|(objectClass=organization)(objectClass=*)))

Blind Exploitation (Response-Based)

Assume login filter:

(&(uid=htb-stdnt)(password=p@ssw0rd))

  • Identify positive vs negative responses (e.g., "Login successful ... down for security reasons" vs "Login failed!").

  • Confirm injection: password=* β†’ positive response.

Password brute-force (prefix search)

Test first char using wildcard suffix:

Loop over candidate chars until positive; fix the char and proceed to next position:

Repeat until the response stops flipping (full value found).

Attribute exfiltration via injected OR

Leak attribute of a user by short-circuiting around the password check. Example payloads:

  • Username: htb-stdnt)(|(description=*

  • Password: invalid)

Effective filter:

Now brute-force description one character at a time with prefix* tests (same approach as password).

Automation Script (example)

  • Adjust POSITIVE_STRING to match the app's positive response phrase exactly.

  • Narrow string.printable to speed up.

  • URL-encode when needed if the app rejects raw parenthesis.

Redact flags/secrets in notes; store sensitive outputs separately.

PreviousAuthentication BypassNextPrevention

Last updated