LDAP Injection Cheatsheet
Basic LDAP Search Query
LDAP (Lightweight Directory Access Protocol) is commonly used to retrieve specific information from directory services (e.g., Active Directory). The following is an example of an LDAP query for basic searches:
(&(attribute1=value1)(attribute2=value2))
Let's break down the components of the query:
The
&
symbol is the logical "AND" operator that combines multiple conditions.attribute1
andattribute2
are the names of the attributes you want to search within the directory (e.g., "cn" for common name, "mail" for email).value1
andvalue2
are the values you're looking for within those attributes.
You can customize attributes and values to match specific requirements. For example, to search for a user with the common name "John Doe" and the email address "john.doe@example.com," the query would be:
(&(cn=John Doe)(mail=john.doe@example.com))
Thus, for logging in, you can use the following query:
(&(cn=USERNAME)(userPassword=PASSWORD))
Basic LDAP Injection Query
(&)
in an LDAP filter doesn't only mean the "AND" operator; it's also a syntactic element that represents an empty filter. You can use this to inject USERNAME>(&)
into the identifier field. This will lead to the execution of the query as follows:
(&(cn=USERNAME>(&))(userPassword=PASSWORD))
Depending on the (&)
, the latter filter becomes unconstrained, and all entries are returned. This naturally results in a successful login.