What is NoSQL Injection?

Before we proceed with the NoSQL Injection details, we need to understand the NoSQL databases which it has provided low consistency restrictions if compared to SQL databases. Most of the time, the attack might execute from a procedural language than SQL language and the impact is greater than SQL Injection.

How to review the source of the injection?

For all vulnerability, there have some way to detect or review whether the vulnerability is existed on the application or system.

Normally, We should be able to verify the vulnerabilty by analying the source code of the web application. In this case, i managed to analyze the code when we managed to access the machine.

The vulnerability code can show that the application can be exploited with the NoSQL Injection will be as below:

const query = { $where: "this.username ===. '" + req.query.username + "\'" };

The vulnerable code explain that the application will recognized the code as true || false + false which normally resulted as true

username=admin' || 'a'=='a&password=admin

An example of the syntax that run in the background and we will able to understand more by clicking here

Demonstration on the Injection Attack

The link here will show the full walkthrough of the machine.

We managed to access the login page for the Shoppy Admin

Whenever I see a login page, I normally try the SQL Injection attack method but I found out that the page is vulnerable to NoSQL Injection.

Let’s inspect the packet via burpsuite and key-in the attack parameter such as ‘||”===’

At last, we have finally managed to access the Admin Interface that shows in the screenshot above.

After roaming the website interface, i found out there’s a function of “search-user”

We should be able to use the Injection attack over here too.

Leave a Reply

Your email address will not be published. Required fields are marked *