We covered an introduction to NoSQL, the difference between NoSQL & SQL and NoSQL operators. We discussed the two basic types of NoSQL injection, mainly syntax based NoSQL injection and Operators-based. We covered the practical scenario from TryHackMe NoSQL Injection for demo purposes.

OSCP Study Notes

Windows Active Directory Penetration Testing Study Notes

Components of a NoSQL Database

Documents
You can think of these documents as a simple dictionary structure where key-value pairs are stored. In a way, they are very similar to what you would call a record on a traditional relational database, but the information is just stored differently. For example, let’s say we are creating a web application for the HR department, and we would like to store basic employee information. You would then create a document for each employee containing the data in a format that looks like this:
field: used for columns

{"_id" : ObjectId("5f077332de2cdf808d26cd74")"username" : "lphillips", "first_name" : "Logan", "last_name" : "Phillips", "age" : "65", "email" : "lphillips@example.com" }

Collections
MongoDB allows you to group multiple documents with a similar function together in higher hierarchy structures called collections for organizational purposes. Collections are the equivalent of tables in relational databases.
Multiple collections are finally grouped in databases, which is the highest hierarchical element in MongoDB.
Operators

$eq - matches records that equal to a certain value

$ne - matches records that are not equal to a certain value

$gt - matches records that are greater than a certain value.

$where - matches records based on Javascript condition

$exists - matches records that have a certain field

$regex - matches records that satisfy certain regular expressions.

The root cause of NoSQL Injection

The root cause of an injection attack is that improper concatenation of untrusted user input into a command can allow an attacker to alter the command itself. With SQL injection, the most common approach is to inject a single or double quote, that terminates the current data concatenation and allows the attacker to modify the query. The same approach applies to NoSQL Injection. If untrusted user input is directly added to the query, we have the opportunity to modify the query itself. However, with NoSQL Injection, even if we can’t escape the current query, we still have the opportunity to manipulate the query itself.

Types of NoSQL Injection

Syntax Injection
This is similar to SQL injection, where we have the ability to break out of the query and inject our own payload. The key difference to SQL injection is the syntax used to perform the injection attack. Since most libraries used to create the queries apply filters that prevent you from injection into the syntax, this type is not as popular.

  • Operator Injection
    Even if we can’t break out of the query, we could potentially inject a NoSQL query operator that manipulates the query’s behavior, allowing us to stage attacks such as authentication bypasses.

Check out the video below for detailed explanation.

Room Answers | TryHackMe NoSQL Injection

What is a group of documents in MongoDB is known as?

collection

Using the MongoDB Operator Reference, what operator is used to filter data when a field isn’t equal to a given value?

$ne

Following the example of the 3 documents given before, how many documents would be returned by the following filter: [‘gender’ => [‘$ne’ => ‘female’] , ‘age’ => [‘$gt’=>’65’] ]?

0

What type of NoSQL Injection is similar to normal SQL Injection?

Syntax

Correct Answer

What type of NoSQL Injection allows you to modify the behaviour of the query, even if you can’t escape the syntax?

Operator

When bypassing the login screen using the $ne operator, what is the email of the user that you are logged in as?

admin@nosql.int

How many users are there in total?

4

There is a user that starts with the letter “p”. What is his username?

pedro

What is john’s password?

10584312

One of the users seems to be reusing his password for many services. Find which one and connect through SSH to retrieve the final flag!

flag{N0Sql_n01iF3!}

What common character is used to test for injection in both SQL and NoSQL solutions?

What is the email value of the super secret user returned in the last entry?

Syntax@Injection.FTW

Video Walkthrough | TryHackMe NoSQL Injection

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles