LDAB - WEB 50 - CSAW 18

This one was a Simple Company employees list with a search bar to filter the list, this latter is vulnerable to LDAP injection.

LDAP injection: is a code injection technique used to exploit web applications which could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores.

The first thing comes to my mind is to run a search on our friendly search engine Google about LDAP payload lists, so I found a pretty good list, I used the first payload in the list and bingo I succeed reading the flag.

Payload : )(uid=))(|(uid =*

Github : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20injection

ldap.png

FLAG : flag{ld4p_inj3ction_i5_a_th1ng}

This article is my 3rd oldest. It is 109 words long