DAY 7 - NoSQL | Notion

[Web Exploitation] NoSQL :

<aside> 💡 Data is stored in databases, two types of databases. Relational and non-relational.

</aside>

<aside> 💡 Relational stores in tables and different tables are linked through keys, Non-Relational doesn’t relate information from one group but is optimized for storing and querying specific data.

</aside>

<aside> 💡 Relational is managed through SQL and Non-Relational through NoSQL.

</aside>

<aside> 💡 NoSQL has collections like tables, documents like rows and fields like columns and query operators $and like AND, $or like OR and $eq like = from SQL.

</aside>

mongo to access mongoDB DBMS

use to create or to connect existing collection

db.<collection name>.insert/update/remove/drop for various functions in NoSQL

<aside> 💡 Creating a NoSQL injection -

db.<collection name>.find({query}) or db.<collection name>.findOne({query}) and operators :

$eq - match record equal to a certain value

$ne - match record not equal to a certain value

$gt - match record greater than a certain value

$where - match record on JavaScript condition

$exists - match record having certain field

$regex - match record equal to a certain regex expressions

example query - db.users.findOne({username: "admin", password: {"$ne":"xyz"}})

password field will bring records of users who are admin and their password is not xyz

</aside>

<aside> 💡 To use NoSQL injection, need to find an entry point that doesn’t sanitize user input.

</aside>

<aside> 💡 Input can be accepted via GET and POST queries and sometimes as a JSON object in APIs.

</aside>

<aside> 💡 To interact via GET/POST is by injecting an array of operators to match JSON objection to match key:value

</aside>

http://<MACHINE IP>/search?username=admin&role[$ne]=user

Questions :-

Question 1, is straight forward, ssh>mongo>find databases>find collection

Question 2, intercept the login page on burp>change the password parameter>forward and intercept off

Question 3, gift search page>intercept on>change role parameters as learned above

Question 4, same as question 3 and change the username parameter

3 and 4 could be done without burp too, just from URL