Tuesday, August 16, 2011

LDAP Injection - CN /SN /UID /MAIL - Attack Payloads

LDAP injections are detected very less as compared to XSS attacks. However, every injection is critical from security point of view. Recently I came across one of the biggest educational university that has implemented LDAP for its directory services. With no reasonable doubt it was vulnerable to LDAP injections. It was fun to play around with it. For security purposes, I am not going to show the successful injection snapshots (figure it out yourself) but only present the payloads and brief queries.

It is the most common example of searching username in the directories. The website has search form with different name fields. On some HTTP debugging, the form is submitting these variables.

sn cn uid mail full 0 submit Search

Considering the set of variables, the most generic implementation of LDAP filter looks as presented below

One might encounter following errors

1. There was an error connecting to the server.Please try again.

2. You have not entered anything to search on. There were 0 matches to your query.
Please return to the search page to reformulate your query.

3. 500 Internal Server Error

4. Successful query

Attack payloads:

/cgi-bin/ldap/ldap_query.cgi?cn=*) (|(objectClass=person)
/cgi-bin/ldap/ldap_query.cgi?cn=*)(|(cn = * ))
/cgi-bin/ldap/ldap_query.cgi?cn=*)(|(uid = * ))

Meta Characters - ))|\\\\ |!@#$ &&

There are other set of payloads that can be used. The output of one of the injection looks like as presented below

Enjoy !