12.4 Lab: Exploiting NoSQL operator injection to extract unknown fields | 2024

The user lookup functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection.

To solve the lab, log in as carlos.

Click forgot-password, type carlos and send a password reset linkClick My-Account, try logging in to carlos Account with the wrong password, and capture the request.Send the request to Intruder, Choose Cluster bomb as the Attack type, and modify the body as below
{“username”:”carlos”,”password”:{“$ne”:””}, “$where”: “Object.keys(this)[1].match(‘^.{§0§}§a§.*’)”}Choose Numbers as payload 1 and set it to 0–20 then
set the payload 2 as a simple list, add a-z, A-Z, and 0–9Start the Attack, Click Payload 1 to sort, then click the filter and type the string “Account Locked “, this will display the parameter name.Change the value of keys(this)[1].match 1 to 2 then 3.. and start the attack one by one.On using the key 4, I got a parameter called newPwdTknNow, Change the body of the request in Intruder as below, start the Attack, and Apply step 5 to filter out, this Attack will give you the token value.
{“username”:”carlos”,”password”:{“$ne”:””}, “$where”:“this.newPwdTkn.match(‘^.{§0§}§a§.*’)”}Make sure to send the reset link to carlos as mentioned in Step 1.Sort down the list with payload 1 and note down the value.Now, go to Browser Click My-Account and Forgot-passwordIn the URL bar modify the request as /forgot-password?newPwdTkn=TOKEN_VALUEType new and Confirm the password of Carlos.Finally log in to carlos Account with the password that you created to solve the Lab.