LDAP queries use Polish notation (also known as
prefix notation), where the operators appear to the left of the operands. Furthermore,
LDAP accepts the wildcard symbol (*). A more elaborate LDAP query could be something
like this:
filter = (&(objectClass=person)(cn=Rich*)(|(telephoneNumber=403*)(
telephoneNumber=415*)))
This query finds people whose common name starts with Rich and phone number in
either the 403 or 415 area code.
To inject arbitrary LDAP queries into a vulnerable web application, you must
construct a different, yet valid, LDAP query. If this HTTP request,
http://intranet/ldap_query?user=rgc
16 Hacking Exposed Web 2.0
created this filter,
(uid=rgc)
then you must create a valid LDAP filter that begins with (uid= and ends with). For
example, to perform a reverse phone number lookup (that is, find the name of a person
associated with a phone number), you could make this request:
http://intranet/ldap_query?user=*)(|(telephoneNumber=415-555-1212)
This creates the query
(uid=*)(|(telephoneNumber=415-555-1212))
Another interesting query is to find all the possible objectClasses. This can be
performed like so:
http://intranet/ldap_query?user=*)(|(objectClass=*)
This creates the query
(uid=*)(|(objectClass=*))
Preventing LDAP Injection
Protecting against LDAP injection is as simple as whitelisting characters??”that is, allow
alphanumeric characters (a??“z, A??“Z, and 0??“9) and deny all other characters.
Pages:
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79