Pentesterlab--Web for Pentester-LDAP
Web for Pentester: This exercise is a set of the most common web vulnerabilities
What is LDAP injection?
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.
more information: LDAP injection
In this first example, you connect to a LDAP server, using your username and password. In this instance, The LDAP server does not authenticate you, since your credentials are invalid. However, some LDAP servers authorise NULL Bind: if null values are sent, the LDAP server will proceed to bind the connection, and the PHP code will think that the credentials are correct. To get the bind with 2 null values, you will need to completely remove this parameter from the query. If you keep something like username=&password= in the URL, these values will not work, since they won't be null; instead, they will be empty.
1 2 3 4 5
The developer uses function
ldap_bind to bind parameters. I can bypass the authentication by setting null values to the parameters.
Our goal here will be to inject inside
[INPUT1] (the username parameter). We will need to inject:
- The end of the current filter using
- An always-true condition
((cn=*) for example)
- A ) to keep a valid syntax and close the first
A NULL BYTE
(%00)to get rid of the end of the filter
nmap search LDAP:
nmap -p 389 --script ldap-search 192.168.79.162