Appearance
Basics injections
LDAP Injection
LDAP injection occurs when user input is improperly sanitized and is directly concatenated into an LDAP query. By injecting crafted filter components, an attacker can bypass authentication, extract data, or manipulate directory lookups.
LDAP Filter Syntax (Expanded)
LDAP uses a prefix notation (Polish notation) for its filters.
bash
Filter # (filtercomp)
Filtercomp # and / or / not / item
And # & filterlist
Or # | filterlist
Not # ! filter
Item # simple / present / substring
Simple # attr filtertype assertionvalue
Filtertype # '=' / '~=' / '>=' / '<='
Present # attr=*
Initial # assertionvalue
Substring # attr="..."[*"..."]
(&) # TRUE (|) = FALSE| Symbol | Meaning | Example |
|---|---|---|
= | Equality | (uid=john) |
~= | Approx match (similar) | (sn~=Smith) |
>= | Greater than or equal | (age>=30) |
<= | Less than or equal | (loginAttempts<=3) |
=\* | Attribute exists (present) | (mail=\*) |
_val_ | Substring match | (cn=_john_) |
(&...) | Logical AND | (&(uid=john)(mail=\*)) |
( ...) | Logical | OR |
(!...) | Logical NOT | (!(uid=admin)) |
Special Cases:
(&)-> Always TRUE(|)-> Always FALSE@*: Matches any value for an attribute or checks if an attribute exists. This is commonly used to check for the presence of an attribute without caring about its specific value. Example: (mail=@*) means "match entries where the mail attribute exists, regardless of its value."