Rootme LDAP Injection - Authentication
Root-me.org
LDAP injection - authentication
SSO v0.01
This challenge makes us bypass a ldap authentication.
After trying a few different characters to see if the website is giving us any feedback we found that if we pass ‘)’ a parenthese as username we get an ERROR message.
ERROR : Invalid LDAP syntax : (&(uid=))(userPassword=))
This is valuable information our parenthese is found after uid=
.
By having the actual request sent to the server we can easily bypass it by using the * character.
In LDAP * means all of the possibilities. We’ll then close the two parentheses and send a nullbyte.
My first tries didn’t work and i couldn’t figure it why. I kept getting the error. I decided to open Burp and intercept the query.
Our username is being passed as urlencode. This was the problem.
Our actual request will be
username=*))%00&password=%27
The password can be anything. The server never goes there.
Here’s the curl request:
curl -X POST --data-binary $'username=*))%00&password=%27' http://challenge01.root-me.org/web-serveur/ch25/
The password can be found in the value field of the password.