Open in app

Sign up

Sign in

Write

Sign up

Sign in

Mastodon
InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

12.4 Lab: Exploiting NoSQL operator injection to extract unknown fields | 2024

Karthikeyan Nagaraj
InfoSec Write-ups
Published in
2 min readMar 6, 2024

--

Description

The user lookup functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection.

To solve the lab, log in as carlos.

Solution

  1. Click forgot-password, type carlos and send a password reset link
  2. Click My-Account, try logging in to carlos Account with the wrong password, and capture the request.
  3. Send the request to Intruder, Choose Cluster bomb as the Attack type, and modify the body as below
    {“username”:”carlos”,”password”:{“$ne”:””}, “$where”: “Object.keys(this)[1].match(‘^.{§0§}§a§.*’)”}
  4. Choose Numbers as payload 1 and set it to 0–20 then
    set the payload 2 as a simple list, add a-z, A-Z, and 0–9
  5. Start the Attack, Click Payload 1 to sort, then click the filter and type the string “Account Locked “, this will display the parameter name.
  6. Change the value of keys(this)[1].match 1 to 2 then 3.. and start the attack one by one.
  7. On using the key 4, I got a parameter called newPwdTkn
  8. Now, Change the body of the request in Intruder as below, start the Attack, and Apply step 5 to filter out, this Attack will give you the token value.
    {“username”:”carlos”,”password”:{“$ne”:””}, “$where”:“this.newPwdTkn.match(‘^.{§0§}§a§.*’)”}
  9. Make sure to send the reset link to carlos as mentioned in Step 1.
  10. Sort down the list with payload 1 and note down the value.
  11. Now, go to Browser Click My-Account and Forgot-password
  12. In the URL bar modify the request as /forgot-password?newPwdTkn=TOKEN_VALUE
  13. Type new and Confirm the password of Carlos.
  14. Finally log in to carlos Account with the password that you created to solve the Lab.

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Cyberw1ng

Learn Cyber Security and Create Awareness ~ cyberwing Stay tuned with me, Subscribe, and Like the Videos… Ask Doubts…

www.youtube.com

Telegram Channel for Free Ethical Hacking Dumps

Ethical Hacking Dumps — CEH, OSCP, Comptia

Materials and Books for Ethical Hacking Exams like CEH v12, OSCP, Comptia Pentest+, Comptia Security+, Comptia Network+…

t.me

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng

Cybersecurity
Careers
Hacking
Penetration Testing
Bug Bounty

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

58K Followers
Last published 21 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Karthikeyan Nagaraj
Karthikeyan Nagaraj
Follow

Written by Karthikeyan Nagaraj

11.5K Followers
1 Following

Entrepreneur | Writer | Cyber Security Consultant | AI Researcher TopMate - https://topmate.io/cyberw1ng

Follow

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech