Bypassing authentication in a NoSQL db - blackgem

W E L C O M E

https://i.imgur.com/fEamA3G.png

    • Tuesday, January 31, 2023

    Home bypass cybersecurity database db mongodb nosql nosqldb pentesting red team Bypassing authentication in a NoSQL db

    Bypassing authentication in a NoSQL db



    NoSQL databases are built without a schema and therefore are not structured, and you can query them not only using SQL language. With these databases, only a couple of objects are stored, meaning that if we get a database called students, the properties or attributes may or not be stored, some students may have an address field, a first and a last name, some others may not.


    For this post, we are going to use MongoDB basically because is the most common nosql database out there.  MongoDB is a popular document-structured database. 


    Install MongoDB

    First let's install MongoDB in our linux machine:

    sudo apt-get install mongodb


    Start the service

    systemctl start mongodb

    Now let's execute to start interacting with mongodb

    Let's enumerate the databases

    show dbs

    To create a database let's type
    use blackgem


    now it's switched to our blackgem db, to enumerate tables we use

    show collections


    this is because the collections are not constrained by columns or structures.


    Let's create a student object for this example by quickly throwing some data to the db

    db.student.insertOne({student: 'george'})







    To query this collection we use find as follows:

    db.student.find()




    We can play with the filtering in order to query the database, which is the foundation of our next exploitation.

    db.student.find().limit(1)
    db.student.find({section: 'north'})
    db.student.find({section: {"$ne": 'north'}})
    $ne = not equal






    For more information about mongodb please visit: https://www.mongodb.com


    Bypassing Authentication

    NoSQL injection is a type of vulnerability where an attacker is able to inject arbitrary text into NoSQL queries. NoSQL injections are very similar to the traditional SQL injection attack, except that the attack is against a NoSQL database. NoSQL is a general term for any database that does not use SQL, a common database management system (DBMS) that utilizes NoSQL is MongoDB.


    This challenge was made by snyk and you can download the vulnerable application from their github:

    https://github.com/snyk-labs/nodejs-goof


    The purpose of the challenge is to login to sneak.io with no password. Let's go into your vulnerable application.

    now, we need to send a Json operator to our MongoDB for processing instead of a string for the password. 


    We capture the requests in Burp Suite and before sending it under "Request" we modify the content type and the payload with json format.


    The trick here for a successful attack is that you use a not equal ($ne) flag stating that is not a blank passwords in order to bypass the authentication


    Before : Content-Type x-www-form-urlencoded and payload as string

    After : I have changed the Content-Type to json and transformed the credentials into json format


    Follow the redirection and now we get a 200 OK response with Admin Access Granted



    And voilá we have bypassed the authentication for this application :)


    This method can be used once you have identify that the web app is using a non-relational database.


    Now, if you need more payloads similar using the $ne with json operator you can go to:

    https://github.com/swisskyrepo/PayloadsAllTheThings/ under NoSQL Injection



    I hope this is useful for you. Happy Hacking!

    Tags
    Share This
    Author Image

    About blackgem

    by blackgem at
    Tags , , , , , , , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

    About blackgem

    blackgem offensive / defensive security specialist looking to give back to the community by posting some of the experiences, how to's, tutorials, etc. Passionate about legacy, current and emerging technologies.