Bypassing authentication in a NoSQL db - blackgem

W E L C O M E

https://i.imgur.com/fEamA3G.png

Tuesday, January 31, 2023

Bypassing authentication in a NoSQL db



NoSQL databases are built without a schema and therefore are not structured, and you can query them not only using SQL language. With these databases, only a couple of objects are stored, meaning that if we get a database called students, the properties or attributes may or not be stored, some students may have an address field, a first and a last name, some others may not.


For this post, we are going to use MongoDB basically because is the most common nosql database out there.  MongoDB is a popular document-structured database. 


Install MongoDB

First let's install MongoDB in our linux machine:

sudo apt-get install mongodb


Start the service

systemctl start mongodb

Now let's execute to start interacting with mongodb

Let's enumerate the databases

show dbs

To create a database let's type
use blackgem


now it's switched to our blackgem db, to enumerate tables we use

show collections


this is because the collections are not constrained by columns or structures.


Let's create a student object for this example by quickly throwing some data to the db

db.student.insertOne({student: 'george'})







To query this collection we use find as follows:

db.student.find()




We can play with the filtering in order to query the database, which is the foundation of our next exploitation.

db.student.find().limit(1)
db.student.find({section: 'north'})
db.student.find({section: {"$ne": 'north'}})
$ne = not equal






For more information about mongodb please visit: https://www.mongodb.com


Bypassing Authentication

NoSQL injection is a type of vulnerability where an attacker is able to inject arbitrary text into NoSQL queries. NoSQL injections are very similar to the traditional SQL injection attack, except that the attack is against a NoSQL database. NoSQL is a general term for any database that does not use SQL, a common database management system (DBMS) that utilizes NoSQL is MongoDB.


This challenge was made by snyk and you can download the vulnerable application from their github:

https://github.com/snyk-labs/nodejs-goof


The purpose of the challenge is to login to sneak.io with no password. Let's go into your vulnerable application.

now, we need to send a Json operator to our MongoDB for processing instead of a string for the password. 


We capture the requests in Burp Suite and before sending it under "Request" we modify the content type and the payload with json format.


The trick here for a successful attack is that you use a not equal ($ne) flag stating that is not a blank passwords in order to bypass the authentication


Before : Content-Type x-www-form-urlencoded and payload as string

After : I have changed the Content-Type to json and transformed the credentials into json format


Follow the redirection and now we get a 200 OK response with Admin Access Granted



And voilá we have bypassed the authentication for this application :)


This method can be used once you have identify that the web app is using a non-relational database.


Now, if you need more payloads similar using the $ne with json operator you can go to:

https://github.com/swisskyrepo/PayloadsAllTheThings/ under NoSQL Injection



I hope this is useful for you. Happy Hacking!

No comments:

Post a Comment