[Web Exploitation] NoSQL :
<aside> 💡 Data is stored in databases, two types of databases. Relational and non-relational.
</aside>
<aside> 💡 Relational stores in tables and different tables are linked through keys, Non-Relational doesn’t relate information from one group but is optimized for storing and querying specific data.
</aside>
<aside> 💡 Relational is managed through SQL and Non-Relational through NoSQL.
</aside>
<aside> 💡 NoSQL has collections like tables, documents like rows and fields like columns and query operators $and like AND, $or like OR and $eq like = from SQL.
</aside>
mongo to access mongoDB DBMS
use to create or to connect existing collection
db.<collection name>.insert/update/remove/drop for various functions in NoSQL
<aside> 💡
Creating a NoSQL injection -
db.<collection name>.find({query}) or db.<collection name>.findOne({query}) and operators :
$eq - match record equal to a certain value
$ne - match record not equal to a certain value
$gt - match record greater than a certain value
$where - match record on JavaScript condition
$exists - match record having certain field
$regex - match record equal to a certain regex expressions
example query - db.users.findOne({username: "admin", password: {"$ne":"xyz"}})
password field will bring records of users who are admin and their password is not xyz
</aside>
<aside> 💡 To use NoSQL injection, need to find an entry point that doesn’t sanitize user input.
</aside>
<aside> 💡 Input can be accepted via GET and POST queries and sometimes as a JSON object in APIs.
</aside>
<aside> 💡 To interact via GET/POST is by injecting an array of operators to match JSON objection to match key:value
</aside>
http://<MACHINE IP>/search?username=admin&role[$ne]=user
Questions :-
Question 1, is straight forward, ssh>mongo>find databases>find collection
Question 2, intercept the login page on burp>change the password parameter>forward and intercept off
Question 3, gift search page>intercept on>change role parameters as learned above
Question 4, same as question 3 and change the username parameter
3 and 4 could be done without burp too, just from URL