sans sec642 advanced webapp penetration testing day1 · mongodb mongodb is a document-oriented...

SEC642

NoSQL Injection

Copyright 2012-2018 Justin Searle and Adrien de Beaupré | All Rights Reserved | Version D01_01

Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques

S

About me

Principal

SANS InstructorBlack Belt &

Martial Arts Enthusiast

CoAuthor of SANS

SEC 460 and 642

Consultant

InfoSec full time

since 2000

SEC642 | Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 3

Modern Penetration Testing

Use the features of the operating system

Use the features of the network protocols

Use the features of the web application

New framework = new features to learn

Exploitation is just making use of new features in ways that might not have been anticipated, or known to implementers / developers

3


THE MEAN STACK

End-to-end JavaScript from clientto database

MEAN is a lightweight MVC framework

Found on Mean.io

The components are:

mongoDB (NoSQL Database)

Express (MVC Framework)

AngularJS (Client-Side Framework)

Node.JS (JavaScript Server)


NoSQL DATABASES: DEFINITION

No standards between platforms, no common query language

Security features:Authentication: Often not enabled by default, and if available, limited. Some databases require additional software like proxies for authentication.

Access Controls: Many NoSQL databases, even if they require users to authenticate, do not use different roles. All users have access to everything.

Auditing: Some NoSQL Databases do not log, at all.

Hit-and-miss if TLS is built into the database.

Encryption is normally not provided beyond filesystem encryption.

Only few NoSQL databases provide data encryption features.


DATABASES


MONGODB

MongoDB is a Document-Oriented Database

It does not use traditional SQL:• Uses NoSQL formatted in JSON-like messages

• Language called BSON, or Binary JSON

Different than a relational database, the schemas are dynamic and can be changed on demand

Queries can include JavaScript functions

"Mongo only pawn… in game of life"


UNDERSTANDING HOW NoSQL WORKS

SQL

Made of rows and tables

Generally ACID-compliant:• Atomicity

• Consistency

• Isolation

• Durability

Maintains consistency even if limits scalability

NoSQL

Made of key-value pairs:• MongoDB has "documents"• Riak has "buckets"

Generally BASE-compliant:• Basically Available• Soft State• Eventually Consistent

Trades consistency for scalability


NoSQL vs. SQL

SQL: MySQL

Example SQL Queries:

SELECT * FROM users where ID=1;

Update a User:

UPDATE users SET password = '<input>' WHERE ID = <#>;

Create Table:

CREATE TABLE users (id MEDIUMINT NOT NULL AUTO INCREMENT, user_id Varchar(30))

NoSQL: MongoDB

Example NoSQL Queries:

db.users.find({user_id: 1,})

Example User Update:

db.users.update({user_id: <#>}, {$set:{password:'<input>'}})

Create Table:

db.createCollection('users')


MONGODB NOSQL INJECTION

MongoDB, like other NoSQL backended databases, will not be vulnerable to SQL injection as you may traditionally understand it

Injection attacks use JSON or BSON to control queries on databases:• MongoDB is often attacked via its $where operator (similar to SQL's where

clause)

Arbitrary JavaScript may also be injected into unprotected db.eval(), mapReduce, and group operators

Parameter injection like so: http://victim.tld/login?user[$ne]=1

The [$ne] is added so that it evaluates potentially as user not equal


MONGODB FUZZING

Things to try for Mongo NoSQLi:

• JavaScript -> Inserting a function can be interesting!

• Json -> / { } :

• Trigger MongoDB syntax error -> ' " \ ; { }

• Insert logic -> ' || '1' == '1' ; //

• Comment out -> //

• Operators -> $where $gt $lt $ne $regex

• Mongo commands -> db.getCollectionNames()


NOSQL INJECTION METHODOLOGY

Have a baseline valid request for comparison

Attempt to cause a syntax error response from the database

Inject operators that modify the query

Inject logic to cause the query to return multiple records

Inject new records that modify the schema <- careful!

Delete or modify records <- careful!

Inject JavaScript

Inject JSON or BSON directly to the database

Access REST APIs, management interfaces, or the database directly


NOSQL INJECTION PROJECTS

Tools:

• NoSQLMap

• NoSQL Exploitation Framework

• FuzzDB list of injection strings (all 21 lines)

• Some commercial automated web application scanners

Vulnerable applications:• One written by Robin "digininja" Wood

• Bundled in NoSQLMap

• Written for the Websecurify blog post on NoSQL Injection

• Many others, likely not intentional though!


Demo!


Demo: NoSQL INJECTIONmongo.sec642.org

Click on Guess_The_Key

Type in a guess

Now we have a baseline


Demo: NoSQL INJECTIONGUESS_THE_KEY


Demo: NoSQL INJECTIONASKING FOR THE KEY

With the stack trace, we can create the attack

The context of their code dictates our exploit

Close off the previous logic, insert new logic, comment off the rest of the line

' ; return key; //

Voila, the key value appears


Demo: NoSQL INJECTIONUSER LOOKUP

Return to the home page

Click on User_Lookup

Type in a name

We now see a valid butnegative response

Type in sid to see a validand positive responsefor our baseline


Demo: NoSQL INJECTIONUSING QUERY PARAMETERS

Entering sid gave us a valid query and response

Fuzzing gave us nothing useful

We will need to insert JavaScript, logic, or query operators to achieve our goal

[$ne], [$gt], and [$regex] will help use here.


Demo: NoSQL INJECTIONUSING QUERY PARAMETERS

type[$ne]=user&

username[$ne]=sid

Success!

type[$regex]=.*&

username[$regex]=.*

Dumps the whole table!

20


Demo: NoSQL INJECTIONLOGIN

We want to be administrator!

There are three parameters:type, username, password

How can we bypass the password check once we have a valid username and user type?


Demo: NoSQL INJECTIONAUTHENTICATION BYPASS

Query operators once again.

type[$ne]=user

&username[$ne]=foo

&password=bar'

|| '1'=='1


New series of web app pen test cheat sheets…

Crowdsource!


Questions?


COURSE RESOURCES AND CONTACT INFORMATION

AUTHOR CONTACT

Moses Frost

[email protected]

Justin Searle

[email protected]

@meeas

Adrien de Beaupré

[email protected]

@adriendb

SANS INSTITUTE

11200 Rockville Pike, Suite 200

North Bethesda, MD 20852

301.654.SANS(7267)

SANS EMAIL

GENERAL INQUIRIES:

[email protected]

REGISTRATION:

[email protected]

TUITION: [email protected]

PRESS/PR: [email protected]

PEN TESTING RESOURCES

pen-testing.sans.org

Twitter: @SANSPenTest

mailto:[email protected]







sans sec642 advanced webapp penetration testing day1 · mongodb mongodb is a document-oriented...

Documents