LDAP Injection

Hacking 2008. 10. 3. 07:18

Generally, LDAP injection attacks allow users within a corporation to gain private information. This attack is usually not possible via the Internet.

Lightweight Directory Access Protocol (LDAP) is a protocol for managing and storing network resources and network users. This includes authorizing users to access computers and other resources. Some web applications use “unsanitized” user input to perform LDAP queries.

Consider a web application that takes a username as input and performs an LDAP query to display the user’s common name (cn) and phone number. For example, this request

http://intranet/ldap_query?user=rgc

returns this:

cn: Richard Cannings
telephoneNumber: 403-555-1212

The LDAP statement to perform this query is simply this:

filter = (uid=rgc)
attributes = cn, telephoneNumber

However, you can construct more elaborate filters by using Boolean operations such as OR (|) and AND (&) with various attributes such as cn, dn, sn, objectClass, telephoneNumber, manager, and so on. LDAP queries use Polish notation (also known as prefix notation), where the operators appear to the left of the operands. Furthermore, LDAP accepts the wildcard symbol (*). A more elaborate LDAP query could be something like this:

filter = (&(objectClass=person)(cn=Rich*)(|(telephoneNumber=403*)(
telephoneNumber=415*)))

This query finds people whose common name starts with Rich and phone number in either the 403 or 415 area code.

To inject arbitrary LDAP queries into a vulnerable web application, you must construct a different, yet valid, LDAP query. If this HTTP request,

http://intranet/ldap_query?user=rgc

created this filter,

(uid=rgc)

then you must create a valid LDAP filter that begins with (uid= and ends with). For example, to perform a reverse phone number lookup (that is, find the name of a person associated with a phone number), you could make this request:

http://intranet/ldap_query?user=*)(|(telephoneNumber=415-555-1212)

This creates the query

(uid=*)(|(telephoneNumber=415-555-1212))

Another interesting query is to find all the possible objectClasses. This can be performed like so:

http://intranet/ldap_query?user=*)(|(objectClass=*)

This creates the query

(uid=*)(|(objectClass=*))

Countermeasure Preventing LDAP Injection

Protecting against LDAP injection is as simple as whitelisting characters—that is, allow alphanumeric characters (a–z, A–Z, and 0–9) and deny all other characters.

'Hacking' 카테고리의 다른 글

Testing Injection Exposures  (0) 2008.10.03
Buffer Overflows  (0) 2008.10.03
XXE (XML eXternal Entity) Attacks  (0) 2008.10.03
Directory Traversal Attacks  (0) 2008.10.03
Command Injection  (0) 2008.10.03
Posted by CEOinIRVINE
l
블로그 이미지
Information Security & US & Life & Love & Fashion & Hacking & Passion hack, web security, game security, game hack, fps, ava, wow, starcraft II, soldier front, gunz, reverse engineering, SQL injection, XSS, hacking, penetration testings, IT, internet technlogoy, security, penetratoin testing, XSS, XSRF CEOinIRVINE

최근에 올라온 글

공지사항

카테고리

CEOinIRVINE (2282)
Editorials (4)
Finance & EMBA (1)
Fashion (239)
IT (215)
Hacking (266)
Online Game (17)
Vocabulary (14)
iLoveBlackberry (2)
Business (1108)
Politics (165)
US News (115)
World News (63)
Career Consulting (8)
Apple (5)
Car (13)
Travel (5)
Irvine (3)
Sports (3)
recipe (1)
Music (15)
TVs (11)
Spanish (1)
Cyber Law (1)
Perl (3)
Java (1)
Artificial Intelligence (1)
Stock (1)

태그목록

달력

«   2025/02   »
1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28

링크

  • Total :
  • Today :
  • Yesterday :
tistory 티스토리 가입하기!
rss

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

티스토리툴바