NoSQL Injection

In this room, you will learn about NoSQL Injection. While SQL-based databases are a popular choice for data storage of web applications, several database options that are not based on SQL also exist. Database solutions such as MongoDB, a NoSQL database solution, have seen a significant rise in popularity in recent years. However, the fundamental principle of injection attacks remains the same. If we have the ability to inject into the database query itself, we have the opportunity to manipulate it!

Bypassing the Login Screen

Start connection VPN and turn on the machine.

We try logging in.

But the login was unsuccessful.

We come back to look at code PHP, Web application making a query database using MongoDB.

We find more information for $ne , In MongoDB, $ne is an operator used in a query to select a document with any field. not equal to the specified value, It means we can use $ne bypass login page.

$ne

Let try login and using Burp Proxy.

We change to user[$ne]=xxxx&pass[$ne]=yyyy and Forward

user[$ne]=xxxx&pass[$ne]=yyyy

Finally we can login.

Logging in as Other Users

Let’s start we login and using Burp Proxy.

We use $nin operator receives a list of values ​​to ignore.

$nin

Forward request, we can login other user.

Extracting Users’ Passwords

Let’s start we login and using Burp Proxy.

$regex operator operator in MongoDB is used for pattern matching in queries using regular expressions. It allows you to search for documents where the value of a specified field matches a given regex pattern. Regular expressions are powerful tools for searching, replacing, or validating strings based on specific patterns.

we will use pass[$regex]=^.{9}: This is using a regular expression ($regex) to specify that the pass (password) must exactly match a pattern. The pattern ^.{9} indicates that the password must be exactly 9 characters long, where ^ denotes the start of the string, matches any character, and {9} specifies that exactly 9 characters are required.

pass[$regex]=^.{9}

Then send, But response ?err=1.

We try decrease numbers user=john&pass[$regex]=^.{8}&remember=on

and send.

user=john&pass[$regex]=^.{8}&remember=on

We got it password have length 8.

Next guess first password use [$regex]=^2.......

[$regex]=^2.......

2 is incorrect.

Guess first password use [$regex]=1…….

[$regex]=1…….

1 is correct, We just need to do this with the next one.

We got password.

Next, Use the same method as before until you get the password.

We connect ssh, Get flag.txt

Finding Syntax Injection

We can test Syntax injection by simply injecting a ‘ character.

The following line in the error message shows us that there is Syntax Injection:

for x in mycol.find({"$where": "this.username == '" + username + "'"}):

we have confirmed Syntax Injection, we can use the payload of ‘||1||’

'||1||'

Get the last email.