TryHackMe | NoSQLi Walkthrough

3 hours ago 3

BOOK THIS SPACE FOR AD

ARTICLE AD

NoSQL Injection vulnerabilities can pose significant threats to web applications using NoSQL databases. This guide will explore key concepts of NoSQL injection through practical tasks and solutions using the TryHackMe platform. Let’s dive into it.

No answer needed for this task.

Q1. What is a group of documents in MongoDB known as?

Answer: collection

Q2. Using the MongoDB Operator Reference, what operator is used to filter data when a field isn’t equal to a given value?

You can find the solution by exploring MongoDB’s query and projection operators.
Answer: $ne

Q3. Following the example of the three documents, how many documents would be returned by the filter:

['gender' => ['$ne' => 'female'], 'age' => ['$gt' => 65]]?

By analyzing the data, only one document satisfies the conditions, but it doesn’t meet the age filter.
Answer: 0

Q1. What type of NoSQL Injection is similar to normal SQL Injection?

Explanation: Syntax Injection allows attackers to break out of queries and inject their own payloads, similar to SQL Injection.
Answer: Syntax

Q2. What type of NoSQL Injection modifies query behavior without escaping the syntax?

Explanation: Operator Injection lets attackers manipulate queries using NoSQL operators, such as $ne or $nin.
Answer: Operator

Q1. When bypassing the login screen using the $ne operator, what is the email of the logged-in user?

To test this, intercept the login request with Burp Suite, modify the payload to force the database to return all user documents, and log in as the first user.
Answer: admin@nosql.int

Logging in with $nin Operator

To bypass the login screen and specify which user to log in as, modify the payload using the $nin operator. Here's an example:

['username' => ['$nin' => ['admin']], 'password' => ['$ne' => 'irrelevant']]

Each iteration filters out previously discovered users, allowing access to all accounts.

Q1. How many users are there in total?

Using payloads to iterate through accounts, we find four users: admin, pedro, john, and secret.
Answer: 4

Q2. There is a user whose username starts with “p.” What is their username?

Answer: pedro

Extracting Passwords with $regex Operator

To extract passwords, use the $regex operator in a process similar to playing "Hangman."

Test password length with a regex like ^.{5}$ (for a 5-character password).Determine each character by iterating through possibilities, e.g., ^a…. for the first character.

Q1. What is John’s password?

John’s password is a 9-digit number derived using the method above.
Answer: 10584312

Q2. One user reuses their password across services. Which user is it, and what is the final flag?

Identifying Syntax Injection

Testing inputs such as ' can reveal syntax injection vulnerabilities. For example:

for x in mycol.find({"$where": "this.username == '" + username + "'"}):

This query is vulnerable due to direct concatenation, allowing injection like:

admin' || 1 || 'x

Q1. What common character is used to test for injection in both SQL and NoSQL?

Answer: '

Q2. What is the email of the super-secret user in the last entry?

Using the payload admin' || 1 || ' reveals the user's email.
Answer: Syntax@Injection.FTW

No answer is needed for this task.

Understanding NoSQL injection techniques is critical for securing modern applications. The challenges in this TryHackMe room demonstrate how attackers exploit poorly secured NoSQL queries and highlight the importance of secure coding practices.