SKF write-ups
Search…
Java - Ldap Injection - harder

Running the app Java

First make sure java is installed on your host machine. After installation, we go to the folder of the lab we want to practice. "i.e /skf-labs/XSS, /skf-labs/RFI/" and run the following command:
1
$ ./mvnw spring-boot:run
Copied!
Now that the app is running let's go hacking!

Reconnaissance

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.
Let's open the app.
Trying to loggin with a random username and password.
The application architecture that supports LDAP includes both server-side and client-side components. The LDAP queries submitted to the server are known as LDAP search filters, which are constructed using prefix notation. Below is an example of an LDAP search filter:
1
find("(&(cn=" + username +")(userPassword=" + pass +"))")
Copied!
This prefix filter notation instructs the query to find an LDAP node with the given username and password.

Exploitation

Let's check the controller file.
1
String filter = "(&(cn="+username+")(sn="+secret_answer+"))";
2
String base = "ou=accounts";
Copied!
We can see that the filter is constructed by concatenating the username and password directly into the filter without proper sanitization. If we replace the username and password with a special character we can bypass authentication controls. Using * as the username and password will result in a successful login.
1
String filter = "(&(cn="+username+")(sn="+secret_answer+"))";
Copied!
No luck, maybe this application is sanitizing the user input somehow, let's check the code again.
1
if(secret_answer.length() < 2)
Copied!
The approach here to avoid LdaP injection was to check for the length of the user input. If the length is less than 2, the user input is invalid. Unfortunately for the developer, this approach is not very secure. Special characters other than "*" can also be used to create malicious queries.
1
username = admin)(!(&(1=0
2
password = q))
Copied!
We successfully logged in as the Admin.

Additional sources

LDAP Injection | OWASP Foundation
LDAP Injection Prevention - OWASP Cheat Sheet Series
What Is LDAP Injection and How Does It Work? | Synopsys
synopsys
PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThings
GitHub
Export as PDF
Copy link
Edit on GitHub