LOGO
OFFENSIVE | DEFENSIVE | WIKI | ABOUT

[NOSQL INJECTION]



CONTEXT INFORMATION NoSQL databases are different than the normal SQL databases. The structure is different so the way to query the DB will differ. The structure of NoSQL DB is [key:pair] structure. FUZZING is the most common attack for this !! SAMPLE: https://machetevault.com/product/lookup?category=FUZZ Possible DBS: mongoDB, redis, couch DB & more. Two types: 1. Syntax Injection: It is when you can break the query. 2. Operator Injection: It is when you can use operators to manipulate the queries.
GENERAL INFORMATION NOTES: 1. Inspection of requests is needed. [burpsuite] 2. Techniques used for SQL Injection can be used, it will differ the parameters and more but logic can be adapted. 3. Use URL/JSON encoding when needed. C1: ' C2: '+' | Simple quote (') is used to determine which characters are interpreted as syntax, it is important to check requests/response before and after and compare it. In order to escape queries the slash can be used. (\) SAMPLE: this.car == '\'' :::: MONGO DB C1: '"`{;$Foo}$Foo \xYZ :::: CONDITIONAL BEHAVIOR NOTE: inspection of requests/response is needed. [burpsuite] C1: FALSE' && 0 && 'x C2: TRUE' && 1 && 'x | :::: OVERRIDING CONDITIONS NOTE: this method is always TRUE. C1: '||1||'
NOSQL OPERATORS NOTES: - Requests inspection is needed. - It is normally as key:pair values. :::> BYPASS AUTHENTICATION :::> MONGO DB There's a technique to use two operators that can help to discover if operators are allowed and also those can lead to authentication bypass. Request login sample: { "username":"wiener", "password":"peter" } OPERATORS: {"$ne":""} | selects the documents where the value of the specified field is not equal to the specified value. This includes documents that do not contain the specified field. {"$regex":""} | provides regular expression capabilities for pattern matching strings in queries. TECHNIQUE: Case scenario with a valid user to attempt!! As it is to bypass authentication methods, normally it is attempted on input fields and also, probably exist some users as reference to use it. | First Test: username:{"$ne":""} with valid password. it is bypassing ? Second Test: username:{"$regex":"wien.*"} with valid password. it is bypassing ? NOTE: "wien.*" >> it is a valid user with a wilcard to retrieve all related to that pattern. Third Test: username as {"$ne":""} with password as {"$ne":""}. it is bypassing ? NOTE: if you get, <p class=is-warning>Query returned unexpected number of records</p> It means, that more than one user has been selected. So apply fourth test. Fourth Test: username as {"$regex":"admin.*"} with password as {"$ne":""}. it is bypassing ? NOTE: It is trying to bypass the user "admin" with any value as password.

©® - Since 2023