Find and Exploit NoSQL Injection

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back in this video we're going to look at some ways to get started with no SQL injection now what is nosql well nosql stands for not only SQL or non-sql which is a style of database design that lets you store and query data outside of traditional structures another way to put it is databases without a schema now it can be a little bit tricky to start off with as with most things but as Security Professionals we always strive to be proficient enough with the technology to understand what's going on under the hood and how that fits into the wider context of the application or system we're evaluating or attacking so with that in mind I generally see no SQL databases like mongodb as a place where Loosely coupled objects are stored now what I mean by Loosely coupled well basically they might have some similar properties or attributes but it's no guarantee so if we have a user they might have a user a username an age a password and some other information some of the users might not have an age some of the users might have the dates of birth some of them might have an address field and others might not so kind of loosely coupled and not strict so with that let's take a quick look at how we can interact with mongodb which is by far the most popular nosql database and see what we can do all right so this is a really quick introduction to nosql and mongodb so we're just going to get Hands-On and drop into a shell now you can see that we're now able to interact with mongodb and we can start looking at the databases that exist by just typing show DBS and you can see we have admin config Express to do and local now I'm just going to create a DB called please like And subscribe um and you can see that it's just switched us directly to this now interestingly enough when we do show DBS it doesn't come up um this is because uh this is temporary until we actually put a collection or some data into this database now in terms of collections I like to think of these as tables so they're a little bit different oops because they're not constrained by columns or structures but in my mind collections are basically tables if you come from a more traditional relational database background now again you can see that we put in show Collections and nothing comes up but if we create a user object for example by doing db.users Dot insert1 and we insert something so let's just put name is Jeremy and hit enter we insert this user object and then if we show collections again we can see that we do indeed have the user's collection so we don't need to create the collection ahead of time we can just throw data at mongodb and it will ingest it which is quite handy for scale and working quickly now what I'm going to do is I'm going to quickly query this collection so I'm just going to do db.uses dot find and it's going to return Jeremy we're going to add some more data to this so let's say we have another user called just me and just me is from let's say Scotland and now when I do db.uses dot find it returns Jeremy up here and also jessamy and you'll notice that Jesse also has this country sets as well and so again the structure is quite loose and mongodb doesn't care whether all of the objects together have the same Properties or different properties same data different data doesn't really matter we want to do a little bit more advanced filtering and so we can do things like db.uses dot find and then we can just say I just want the first record for example you can do limit one to get Jeremy um or if we want to do something like I only want users from Scotland so we can pass in country oops country Scotland here like this and we only get just me back in our results now something that's really important is that we can also pass in operations so for example in the find function instead of doing find Everybody by Scotland we might want to let's say um find the country and if we want to say instead of Scotland we might want to put something like not equal to Scotland and when we run this it's going to find all of the users where the country attribute is not equal to Scotland so we get back Jeremy and this kind of logic or this kind of operator is exactly what we're going to use in the next section to bypass the authentication on the nosql challenge so that was a really super quick intro and of course if you're not familiar with mongodb definitely recommend going in watching some YouTube videos and having a play with it it's really important as Security Professionals to understand the underlying logic so that we can find interact with create and troubleshoot payloads and get them to work so now let's dive into a Hands-On nosql injection challenge so I've spun up a nosql challenge that was built by sneak and you can find it on their GitHub repository if you want to give it a try yourself um The Challenge here is to log in as admin at sneak.io with no password now what we're going to do is we're going to send a Json operation to mongodb for processing instead of a string for the password let's start by sending a request and open up Bub Suite so if I just do admin at sneak.io and I'm just going to send the password as password before I do that I'm just going to switch on my proxy and we get a bit of an application error here although actually we can fix this so we're just going to ignore that for now maybe I'll raise that as a issue in the Repository and we're going to come and take a look at this request hit Ctrl R to send it to repeat sir or you can right click and click Send to repeater and here we have our request now we are getting a 500 response but if we actually convert this to Json our application is going to work correctly now the easiest way to do this is either just to change the content type to Json here and then change the payload to Json or what you can do is you can use a extension and if you come to extensions the App Store and I think if we just search for converter we have this content type converter you can go ahead and click install come back to repeater right click extensions content type converter convert to Json and this converts it for us now we are going to have to update the username and password field whoops um to have Json data so we're just going to put username is admin at sneak.io and then we're gonna have password and we're just going to send password for the time being so now when we send this we get a 401 unauthorized and so instead of sending a password what we're actually going to do is we're going to update this to a operation so we're going to say let me just switch this to Raw instead of pretty to make it a little bit easier to see um we're going to say the password is not equal to blank we could put anything in here so for example we could put the password is not equal to one two three or not equal to undefined so the logic of the application is it's going to say hey grab the username where the username is grab sorry the user where the username is admin as sneak.io and the password is not equal to blank so assuming the admin has a password this should work now we just go ahead and click Send and instead of getting a 401 we get a 302 found and we have a redirect to slash admin now in burp Suite we can just click follow redirection and we have admin access granted and I think we can just click render and here you can see the challenge is complete now if you want to practice this attack then there's also some challenges on a wasp Juice Shop which is very easy to download install and and get up and running with so be sure to check that out and if you need payloads to test out so obviously we just tried the not equals payload but there are other ones that exist so if we come to Swiss Key repo which I think I have bookmarks here you can just Google for Swiss Key repo and if you go to no SQL injection I'm sure many of you will be familiar with this Repository and you come down and you will be able to see some ones to start you off or to start trying now these ones that are passing in arrays are probably more likely to work on PHP based applications where you can pass an array as a parameter and there's ones that are in Json format are more likely to work on things like node applications node.js applications so depending on the technology stack you're using you're going to have to try different payloads in different formats but again the logic is the same so you can see here where we have the username is not equal to Toto or tutu and the password is not equal to Toto or 22 so the first user that gets returned in this case is likely to be logged in and you have the exact same uh Json equivalent here as well so that's it for this video always remember to try and learn at least the basics of what's Happening under the hood also getting familiar with things like how the logic behind a typical login mechanism works is going to help you tremendously on your application security Journey once we understand the behavior it becomes much easier to exploit if you enjoyed this video don't forget to like And subscribe it really means a lot for the channel and if there's anything you want me to cover in the future drop it down in the comments below see you next time
Info
Channel: The Cyber Mentor
Views: 11,642
Rating: undefined out of 5
Keywords:
Id: zHxgZJCy9fA
Channel Id: undefined
Length: 11min 2sec (662 seconds)
Published: Mon Jan 30 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.