# LDAP Injection #### **Notes on LDAP Injection and LDAP Fundamentals** **1. Introduction to LDAP Injection** * **LDAP (Lightweight Directory Access Protocol)** is used for accessing directory servers such as **Active Directory (AD)**. * Web applications integrate LDAP for **authentication** and **data retrieval**. * **LDAP Injection** occurs when unsanitized user input is inserted into LDAP queries, leading to **authentication bypass, data leakage, and privilege escalation**. *** **2. LDAP Foundations** **Key LDAP Terminology** * **Directory Server (DS):** A database-like system storing directory data (e.g., OpenLDAP). * **LDAP Entry:** The basic data unit in LDAP containing: * **Distinguished Name (DN):** Unique identifier (e.g., `uid=admin,dc=example,dc=com`). * **Attributes:** Data fields (e.g., `uid`, `cn`, `mail`). * **Object Classes:** Defines entry types (e.g., `Person`, `Group`). **LDAP Operations** * **Bind:** Authentication with the directory server. * **Unbind:** Close the client connection. * **Add:** Create a new entry. * **Delete:** Remove an entry. * **Modify:** Update an entry. * **Search:** Query directory entries. *** **3. LDAP Search Filter Syntax** * **LDAP queries use search filters** enclosed in parentheses `()`. * Filters consist of an **attribute, an operand, and a value**. **Base Operand Filters** | Name | Operand | Example | Description | | ---------------- | ------- | ---------------- | ---------------------------------- | | **Equality** | `=` | `(name=Kaylie)` | Matches `name=Kaylie` | | **Greater-Than** | `>=` | `(uid>=10)` | Matches `uid` ≥ 10 | | **Less-Than** | `<=` | `(uid<=10)` | Matches `uid` ≤ 10 | | **Approximate** | `~=` | `(name~=Kaylie)` | Matches similar values to `Kaylie` | **Logical Combination Filters** | Name | Operand | Example | Description | | ------- | ------- | --------------------------------- | ----------------------- | | **AND** | `&` | `(&(name=Kaylie)(title=Manager))` | Matches both conditions | | **OR** | \` | \` | \`( | | **NOT** | `!` | `(!(name=Kaylie))` | Excludes `name=Kaylie` | **Boolean Filters** | Name | Filter | | --------- | ------ | | **True** | `(&)` | | **False** | \`( | **Wildcard Filters** | Example | Description | | ------------ | ----------------------------------------- | | `(name=*)` | Matches all entries with `name` attribute | | `(name=K*)` | Matches names starting with `K` | | `(name=*a*)` | Matches names containing `a` | *** **4. Common LDAP Attribute Types** | Attribute Type | Description | | ------------------- | ------------------- | | `cn` | Full Name | | `givenName` | First Name | | `sn` | Last Name | | `uid` | User ID | | `objectClass` | Object Type | | `distinguishedName` | Unique Identifier | | `ou` | Organizational Unit | | `title` | Job Title | | `telephoneNumber` | Phone Number | | `mail` | Email Address | | `street` | Street Address | | `postalCode` | ZIP Code | | `member` | Group Memberships | | `userPassword` | User Password | *** #### **Key Takeaways** * LDAP is a **structured query language** for directory services. * **LDAP Injection occurs** when attackers manipulate input to change LDAP query behavior. * **Logical operands (`&`, `|`, `!`)** allow powerful filtering and are exploitable. * **Input sanitization** and **proper escaping** are crucial for preventing LDAP Injection. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://itrp19-notes.gitbook.io/notes/reference/hacking/web-app-pentesting/ldap-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.