Page 99 - Hands-On Bug Hunting for Penetration Testers
P. 99
SQL, Code Injection, and Scanners Chapter 5
Writing a Wrapper Script
Just as we wrote our CPPUTUSBQ@CVSQ TI script as a convenient wrapper around the
longer command initializing Burp's +"3 file, so that we don't have to type the full path and
all our options each time we start the application, we can do the same for BSBDIOJ. Putting
together all of the options we've just covered (except for QMVHJOT), this is what our script
looks like. We'll call it BTDBO TI:
#!/bin/sh
arachni $1 \
--checks=*,-emails* \
--scope-include-subdomains \
--timeout 1:00:00 \
--http-request-concurrency 10
Like CPPUTUSBQ@CVSQ TI, we can make it executable through a simple DINPE V Y
BTDBO TI and add it into our path by using TVEP MO T 1BUI UP BTDBO TI
VTS MPDBM CJO BTDBO.
The timeout is admittedly long, to accommodate the longer hangups that occur with a
smaller request pool, as well as the extended waiting necessary because of time-based SQLi
calls.
NoSQL Injection ` Injecting Malformed
MongoDB Queries
According to OWASP, there are over 150 varieties of NoSQL database available for use in
web applications. We're going to take a look specifically at MongoDB, the most widely-
used, open source, unstructured NoSQL database, to illustrate how injection can work
across a variety of toolsets.
The MongoDB API usually expects BSON data (binary JSON) constructed using a secure
BSON query construction tool. But in certain cases, MongoDB can also accept unserialized
JSON and JavaScript expressionsblike in the case of the XIFSF operator.
It's usually usedblike the SQL 8)&3& operatorbas a filter:
db.myCollection.find( { $where: "this.foo == this.baz" } );
[ 84 ]
