Day 7 : Migration without Security
Notes taken from Day 7 TryHackMe challenge under Web Exploitation : Migration without security
Intro to NoSQL
non-relational database, usually used for big data or IoT devices
Fast queries, ease of use, scalability and flexible data structure
This challenge covers : NoSQL intro, enumeration and exploitation
Examples --> MongoDB, RavenDB
- Structure of NoSQL
MongoDB consists of databases, tables, fields but with different names where
Collections are similar to tables or views in MySQL and MSSQL.
Documents are similar to rows or records in MySQL and MSSQL.
Fields are similar to columns in MySQL and MSSQL.
The following graph shows a visual example of these terms as we have a database named AoC3 that has two collections: users, roles. The users collection has two documents (2 records). Documents in MongoDB are objects stored in a format called BSON, which supports JSON data types for document storing.
Also, it is useful to briefly look at and compare the query operators between MongoDB and MySQL:
$and equivalent to AND in MySQL
$or equivalent to OR in MySQL
$eq equivalent to = in MySQL
- MongoDB Commands
NoSQL injection happens by sending queries via untrusted and unfiltered web application input, which leads to leaked unauthorized information. In addition, the attacker can use the NoSQL injection to perform various operations such as modifying data, escalating privileges, DoS attacks, and others.
- Bypass Login Pages
connect to database and look for certain password and username, if they exist in the collection in the database, we have a valid entry
commonly used json Query on login pages:
db.users.find({query})
db.users.findOne(query)
functions where the query is JSON data that's send via the application: {"username": "admin", "password":"adminpass"}. Note that when we provide the correct credentials, a document returns, while a null reply is received when providing the wrong credentials when nothing matches!
- Operators
Before exploiting the NoSQL injection, there are MongoDB operators that we need to be familiar with that are heavily used in the injections, which are:
$eq - matches records that equal to a certain value
$ne - matches records that are not equal to a certain value
$gt - matches records that are greater than a certain value.
$where - matches records based on Javascript condition
$exists - matches records that have a certain field
$regex - matches records that satisfy certain regular expressions.
Example Login Query
Since the logic is true, we successfully retrieve the document. Apply this concept against the login pages.
Now to login as another user who is not admin :
- Exploiting NoSQL Injection
find entry point that's not sanitized
understand how the web app passes the requests to the database
Interacting with MongoDb via GET or POST requests is by injecting an array of the MongoDb operator to match the JSON objection to match the Key:Value
Above shows an injection where we looking for username = admin and the role IS NOT user
Let's see the normal case where we search for username is equal ben with the user role.
Now we will try to list all usernames that have a user role!
TryHackMe Tasks
- Task 1 : Navigate the MongoDB database to retrieve flag
- Task 2 : Bypass login pages on web app to retrieve flag
Use the knowledge given in AoC3 day 4 to setup and run Burp Suite proxy to intercept the HTTP request for the login page. Then modify the POST parameter.
Using POST Request, alter [$ne] in :
- Task 3 : Find the flag via in login admin access search form
Use BURP
search for any user on search form
intercept, alter role=guest and username[$ne]=admin
Results :
- Task 4 : Find mcskidy details
We prove that mcskidy is not a user by searching on the database, which returns no user
Last updated