Try Hack Me – Advent of Cyber 3 – Day 7 – NoSQL Injection

Posted on by Shobhit Mehta

What is NoSQL?

A NoSQL database refers to a non-relational database that is short for non SQL and Not only SQL. It is a data-storing and data-retrieving system. NoSQL databases are commonly used nowadays for big Data and IoT devices due to their powerful features such as fast queries, ease of use to developers, scale easily, and flexible data structure.

Understanding NoSQL (e.g. MongoDB)

Similar to relational databases (such as MySQL and MSSQL), MongoDB consists of databases, tables, fields but with different names where

  • Collections are similar to tables or views in MySQL and MSSQL.
  • Documents are similar to rows or records in MySQL and MSSQL.
  • Fields are similar to columns in MySQL and MSSQL.

A few useful commands on MongoDB:

  • show databases command to list all the databases that we have in MongoDB on the machine
  • use command is used to connect to a database if it exists or create a new one if it doesn’t exist
  • db.createCollection() to create a new collection (table)
  • db.getCollectionNames() to see the collections in the database
  • db.<collection>.find() to find the available documents
  • db.<collection>.insert() to insert the document in the collection
  • db.<collection>.update() to update the document
  • db.<collection>.update() to remove the document
  • db.<collection>.remove() to remove the document

What is NoSQL Injection?

Now that we have the basic knowledge of dealing with MongoDB commands to create databases and collections as well as insert, update, and delete documents, we will be discussing the NoSQL injection and the risks of having such vulnerability in the application. NoSQL injection is a web security vulnerability that allows the attacker to have control over the database. A NoSQL injection happens by sending queries via untrusted and unfiltered web application input, which leads to leaked unauthorized information. In addition, the attacker can use the NoSQL injection to perform various operations such as modifying data, escalating privileges, DoS attacks, and others.

Operators useful for NoSQL injection

  • $eq – matches records that equal to a certain value
  • $ne – matches records that are not equal to a certain value
  • $gt – matches records that are greater than a certain value.
  • $where – matches records based on Javascript condition
  • $exists – matches records that have a certain field
  • $regex – matches records that satisfy certain regular expressions.

It was great learning about NoSQL and NoSQL Injection. I also made some progress on Burpsuite which is always a good thing.