What is NoSQL?

NoSQL often translated as Not only SQL, is a type of database that does not use the traditional SQL interface and usually does not store its data in tables. Although NoSQL has advantages and disadvantages when compared to SQL databases, it does give better control and increased simplicity in applications. Today NoSQL is used in many modern big data and real-time web applications.

MongoDB Injection

As with all injection techniques, the problem arises from lack of validation of user input values. The basic structure is that the value passed through the Web Request is processed in the DB without filtering on the Special Character to change the flow of the grammar so that the attacker can gain the desired gain. NoSQL Injection is the same. But it only applies to the target. The following special characters can be used to circumvent the statement and succeed in the attack:

‘ ” \ ; { }

Example: Review this code

db.myCollection.find( { $where: function() { return obj.credits - obj.debits < 0; } } ); 

As mentioned above, there is a NoSQL syntax that has a structure for finding data through the find method of myCollection at the bottom of the db. An attacker can change the flow of logic by writing a new line and ending a line through; similar to the technique used in XSS or SQL Injection. In the example below, the Date class is assigned to date, and the while loop is executed.


0;var date=new Date(); do{curDate = new Date();}while(curDate-date<10000)

In fact, if this section is passed without filtering, the bypassed syntax will be completed as shown below.


function() { return obj.credits - obj.debits < 0;var date=new Date(); do{curDate = new Date();}while(curDate-date<10000); }

It is easy to change the flow in this form. Of course you can check it while you are viewing the db data,but you can also make a line-by-line syntax by looking at the output or error in the blackbox test.

Let's test it with a simple MongoDB syntax.
Test with simple vulnerable syntax


Let's name it roughly. It's a good idea to configure and test it. This friend assumes the function of finding Member at the bottom of noon and can give the argument value as below.

db.noon.findMember({ $or : [ { name : [INPUT1] } , { level : ($lte[INPUT2]) } ] } )

Here the attacker guesses the approximate form of the syntax through testing.It seems that there are about [INPUT1], [INPUT2] that we can see as attack zone. If you perform an attack on [INPUT1], you should create a syntax that can change the flow as follows. (Of course, by default, you should check for special characters.)

Input : {$ne:Ddos}
If you enter the above, the $ ne operator will find the name if it is not the same as the string Ddos, and you will see a lot of data.

db.noon.findMember({ $or : [ { name : {$ne:"Ddos"}} , { level : ($lte[INPUT2]) } ] } )

As a rule of thumb, the $ ne operator value is often used to overturn the situation, so it's good to focus on the logic and the operator.

For automatically finding and exploiting nosql injection, you can view the following video: