NoSQL injection attacks can be especially dangerous because code
Introduction
NoSQL injection vulnerabilities allow attackers to inject code into commands for databases that donβt use SQL queries, such as MongoDB. NoSQL injection attacks can be especially dangerous because code is injected and executed on the server in the language of the web application, potentially allowing arbitrary code execution.
Simple MongoDB Injection
For a basic authentication bypass, the attacker can try to enter MongoDB operators in field values, for example $eq (equals), $ne (not equal to) or $gt (greater than). Hereβs an unsafe way to build a database query in a PHP application, with the parameter values taken directly from a form:
If this query is then used to check login credentials, the attacker can abuse PHPβs built-in associative array processing to inject a MongoDB query that always returns true and bypass the authentication process. This may be as simple as sending the following POST request:
When sent as a MongoDB query to a user store, this will find all users where the user name and password are not equal to 1, which is highly likely to be true and may allow the attacker to bypass authentication.
Login Bypass (PHP)
Injecting the $ne :
#Find some one where username not equals to "" and password not equals to ""
username[$ne]=&password[$ne]=&login=login
Dumping Database (PHP)
First instead of $ne we are going to use $regex in order to discover character by character.
Get all Usernames
First we are going to see al type of characters used in the usernames.