[pitboss] phase 06: Track J.4 + Track L.4 — LDAP_INJECTION corpus + LdapTemplate / python-ldap / php-ldap adapters

tests/dynamic_fixtures/ldap_injection/java/Benign.java

@@ -0,0 +1,16 @@
+// Phase 06 (Track J.4) — Java LDAP_INJECTION benign control fixture.
+//
+// Same shape as `Vuln.java` but routes the attacker-controlled `uid`
+// through `org.springframework.ldap.support.LdapEncoder.filterEncode`
+// before splicing it into the filter, so any wildcard / paren breakout
+// is escaped and the directory keeps returning at most one entry.
+import java.util.List;
+import org.springframework.ldap.core.LdapTemplate;
+import org.springframework.ldap.support.LdapEncoder;
+
+public class Benign {
+    public static List<Object> run(String uid, LdapTemplate template) {
+        String filter = "(uid=" + LdapEncoder.filterEncode(uid) + ")";
+        return template.search("ou=people,dc=nyx,dc=test", filter, null);
+    }
+}

tests/dynamic_fixtures/ldap_injection/java/Vuln.java

@@ -0,0 +1,16 @@
+// Phase 06 (Track J.4) — Java LDAP_INJECTION vuln fixture.
+//
+// The function string-concatenates the attacker-controlled `uid`
+// directly into the LDAP filter passed to `LdapTemplate.search`.  A
+// payload like `alice*)(uid=*` rewraps the filter as
+// `(|(uid=alice*)(uid=*))` once the host wrapper pushes it through a
+// containing `(|…)`/`(&…)` clause, matching every directory entry.
+import java.util.List;
+import org.springframework.ldap.core.LdapTemplate;
+
+public class Vuln {
+    public static List<Object> run(String uid, LdapTemplate template) {
+        String filter = "(uid=" + uid + ")";
+        return template.search("ou=people,dc=nyx,dc=test", filter, null);
+    }
+}

tests/dynamic_fixtures/ldap_injection/php/benign.php

@@ -0,0 +1,13 @@
+<?php
+// Phase 06 (Track J.4) — PHP LDAP_INJECTION benign control fixture.
+//
+// Same shape as `vuln.php` but routes the attacker-controlled `$uid`
+// through `ldap_escape($uid, "", LDAP_ESCAPE_FILTER)`, escaping the
+// wildcard / paren breakout so the directory keeps returning at most
+// one entry.
+function run(string $uid) {
+    $c = ldap_connect("127.0.0.1");
+    ldap_bind($c);
+    $filter = "(uid=" . ldap_escape($uid, "", LDAP_ESCAPE_FILTER) . ")";
+    return ldap_search($c, "ou=people,dc=nyx,dc=test", $filter);
+}

tests/dynamic_fixtures/ldap_injection/php/vuln.php

@@ -0,0 +1,13 @@
+<?php
+// Phase 06 (Track J.4) — PHP LDAP_INJECTION vuln fixture.
+//
+// The function string-concatenates the attacker-controlled `$uid` into
+// the LDAP filter passed to `ldap_search`; a payload like
+// `alice*)(uid=*` breaks out of the host `(uid=…)` clause and matches
+// every directory entry.
+function run(string $uid) {
+    $c = ldap_connect("127.0.0.1");
+    ldap_bind($c);
+    $filter = "(uid=" . $uid . ")";
+    return ldap_search($c, "ou=people,dc=nyx,dc=test", $filter);
+}

tests/dynamic_fixtures/ldap_injection/python/benign.py

@@ -0,0 +1,14 @@
+"""Phase 06 (Track J.4) — Python LDAP_INJECTION benign control fixture.
+
+Same shape as `vuln.py` but routes the attacker-controlled `uid`
+through `ldap.dn.escape_filter_chars`, escaping the wildcard /
+paren breakout so the directory keeps returning at most one entry.
+"""
+import ldap
+import ldap.dn
+
+
+def run(uid: str):
+    con = ldap.initialize("ldap://127.0.0.1")
+    filt = "(uid=" + ldap.dn.escape_filter_chars(uid) + ")"
+    return con.search_s("ou=people,dc=nyx,dc=test", ldap.SCOPE_SUBTREE, filt)

tests/dynamic_fixtures/ldap_injection/python/vuln.py

@@ -0,0 +1,14 @@
+"""Phase 06 (Track J.4) — Python LDAP_INJECTION vuln fixture.
+
+The function string-concatenates the attacker-controlled `uid` into the
+LDAP filter passed to `ldap.search_s`; a payload like `alice*)(uid=*`
+breaks out of the host `(uid=…)` clause and matches every directory
+entry.
+"""
+import ldap
+
+
+def run(uid: str):
+    con = ldap.initialize("ldap://127.0.0.1")
+    filt = "(uid=" + uid + ")"
+    return con.search_s("ou=people,dc=nyx,dc=test", ldap.SCOPE_SUBTREE, filt)