Portswigger
  • Portswigger
  • Server-Side Request Forgery
    • Server-Side Request Forgery (SSRF)
  • SSRF with filter bypass via open redirection vulnerability
  • Blind SSRF with out-of-band detection
  • Cross-Site Scripting
    • Cross-Site Scripting (XSS)
  • Reflected XSS into a JS string with angle brackets and double&single quotes HTML-encoded escape
  • XSS into a template literal w/ angle brackets, single, double quotes, backslash & backticks Escaped
  • Authentication
    • Authentication
  • Username enumeration via subtly different responses
  • 2FA broken logic
  • Username enumeration via response timing
  • Username enumeration via account lock
  • Password reset poisoning via middleware
  • Path Traversal
    • Path Traversal
  • File path traversal, traversal sequences stripped with superfluous URL-decode
  • File path traversal, traversal sequences blocked with absolute path bypass
  • Business Logic Vulnerabilities
    • Business Logic Vulnerabilities
  • Insufficient workflow validation
  • Inconsistent handling of exceptional input
  • Server-Side Template Injection
    • Server-Side Template Injection
  • Basic server-side template injection
  • Basic server-side template injection (code context)
  • SQL Injection
    • SQL Injection
    • Blind SQL injection with conditional responses
  • SQL injection UNION attack, retrieving data from other tables
  • SQL injection attack, listing the database contents on non-Oracle databases
  • API Testing
    • API Testing
  • Exploiting an API endpoint using documentation
  • Exploiting a mass assignment vulnerability
  • Finding and exploiting an unused API endpoint
  • JWT ATTACK
    • JWT Attack
    • JWT authentication bypass via unverified signature
  • JWT authentication bypass via jku header injection
  • JWT authentication bypass via flawed signature verification
  • HTTP HOST HEADER ATTACKS
    • HTTP Host header attacks
  • Basic password reset poisoning
  • Host header authentication bypass
  • No SQL Injection
    • NoSQL Injection
  • Detecting NoSQL injection
  • Exploiting NoSQL operator injection to bypass authentication
  • Exploiting NoSQL injection to extract data
  • FILE UPLOAD VULNERABILITIES
    • File Upload Vulnerabilities
  • Web shell upload via obfuscated file extension
  • OAuth Authentication
    • OAuth Authentication
  • OAuth account hijacking via redirect_uri
  • ACCESS CONTROL VULNERABILITIES
    • Access Control Vulnerabilities
  • User ID controlled by request parameter with data leakage in redirect
  • User ID controlled by request parameter with password disclosure
  • User role controlled by request parameter
  • User role can be modified in user profile
  • URL-based access control can be circumvented
  • INFORMATION DISCLOSURE VULNERABILITIES
    • Information Disclosure Vulnerabilities
  • Information disclosure in version control history
  • XML external entity injection
    • XML External Entity (XXE) Injection
  • Exploiting XXE using external entities to retrieve files
  • Exploiting blind XXE to retrieve data via error messages
  • Blind XXE with out-of-band interaction
  • Blind XXE with out-of-band interaction via XML parameter entities
  • OS COMMAND INJECTION
    • OS Command Injection
  • Blind OS command injection with out-of-band data exfiltration
  • PROTOTYPE POLLUTION
    • Prototype Pollution
  • Privilege escalation via server-side prototype pollution
  • WEB CACHE POISONING
    • Web Cache Poisoning
  • Web cache poisoning via an unkeyed query parameter
Powered by GitBook
On this page

Exploiting NoSQL injection to extract data

Link: https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-data

PreviousExploiting NoSQL operator injection to bypass authenticationNextFile Upload Vulnerabilities

Last updated 3 months ago

Description:

The user lookup functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection.

To solve the lab, extract the password for the administrator user, then log in to their account.

You can log in to your own account using the following credentials: wiener:peter.

Proof of concept:

  1. Analisa web target menggunakan akun testing

  2. Terlihat ketika mengakses halaman my-account akan mengambil data dari endpoint /user/lookup?user=<>

  3. Ubah data username menjadi username milik pengguna lain, sebagai contoh disini melihat data account milik akun administrator

  4. Jelas, disini aplikasi rentan terhadap IDOR. Lalu kombinasikan kerentanan IDOR ini dengan NoSQL Injection. Injeksikan payload administrator' && this.password.length < 8 || 'a'=='b untuk mentahui panjang dari password milik akun administrator

  5. Ketika menginputkan payload diatas, response yang diberikan false dengan ditandai tidak tampilnya data milik akun administrator. Namun ketika menginputkan payload administrator' && this.password.length < 9 || 'a'=='b , data milik akun administrator muncul yang artinya nilai tersebut true atau yang artinya password milik akun administrator berjumlah 8 karaketer

  6. Langkah selanjutnya adalah menebak password milik akun administrator dengan teknik boolean dengan menggunakan payload administrator' && this.password[0]=='a. Jika tidak tampil data administrator artinya false jika tampil data administrator artinya true. Contohnya ketika menginputkan payload diatas tidak menampilkan data administrator yang artinya karakter pertama dari password admin bukan huruf A

  7. Namun ketika administrator' && this.password[0]=='x payload tersebut diinputkan maka bernilai true dengan ditandai tampilnya data akun administrator. Yang artinya huruf pertama dari password administrator adalah huruf X

  8. Langkah selanjutnya adalah menggunakan payload yang sama dengan array yang berbeda. administrator' && this.password[1]=='a-z. Lakukan hal yang sama sampai mendapatkan 8 huruf password akun administrator

  9. Hingga didapati 8 huruf password akun administrator dan lakukan login menggunakan credentials tersebut untuk menyelesaikan tangtangan lab ini

Thanks, Stay Ethical & Happy Hacking! 🍻