LDAP注入

ldap的注入是ldap搜索过滤器的注入

审计时可以搜索ldap_search 函数判断第三个参数是否可控

检查是否正确转义了特殊符号

 '" \/ \\ 空格  # <> , ; + * () \x00(null)

将以上字符转换成ascii码值 在其前面加上反斜线

只转义以下这6个字符就足以防止常见的ldap注入

* \ ( ) \x00
function ldapspecialchars($string) {
    $sanitized=array('\\' => '\5c',
                     '*' => '\2a',
                     '(' => '\28',
                     ')' => '\29',
                     "\x00" => '\00');
    return str_replace(array_keys($sanitized),array_values($sanitized),$string);
}

ldap过滤函数代码来自 Pino_HD【LDAP】LDAP注入漏洞与防御 [2017.09.27]

如果想要详细了解利用及原理可以参考文章 ldap注入入门学习


ldap_bind($ds, "cn=".$username.",".$ldap, $passwd);//绑定ldap区域(相当于登陆ldap服务器)
$ds=ldap_connect($ldapSrv,$port);//建立ldap连接
if($ds) {
    $r=ldap_bind($ds, "cn=".$username.",".$dn, $passwd);/绑定ldap区域(相当于登陆ldap服务器)
    if($r) {
        $sr=ldap_search($ds, $dn, "(|(cn=".$_GET["user"].")(mail=".$_GET["user"]."))");//在ldap中使用过滤器搜索
        $info = ldap_get_entries($ds, $sr);
        if($info["count"]==0){
        	die('用户不存在');
        }
        if($info[0]["userpassword"][0]==$_GET["pass"]){
        die('登陆成功');
        }else{
        die('密码错误');
        }
        ldap_close($ds);
        } else {
            echo "Unable to connect to LDAP server.";
        }        
    }

ldap过滤器结构表

    Fileter = (filtercomp)
    Filtercomp = and / or / not / item
    And = & filterlist
    Or = | filterlist
    Not = ! filter
    Filterlist = 1*filter
    Item = simple / present / substring
    Simple = “=” / “~=” / ”>=” / “<=”
    Present = attr =*
    Substring = attr “=” [initial]*[final]
    Initial = assertion value
    Final = assertion value

最后更新于