Home » Hack The Box: (Shoppy Machine) NoSQLi attack

Hack The Box: (Shoppy Machine) NoSQLi attack

by ThreatNinja
0 comment

What is NoSQL Injection?

Before we proceed with the NoSQL Injection details, we need to understand the NoSQL databases which it has provided low consistency restrictions if compared to SQL databases. Most of the time, the attack might execute from a procedural language than SQL language and the impact is greater than SQL Injection.
How to review the source of the injection?

For all vulnerability, there have some way to detect or review whether the vulnerability is existed on the application or system.

Normally, We should be able to verify the vulnerabilty by analying the source code of the web application. In this case, i managed to analyze the code when we managed to access the machine.

The vulnerability code can show that the application can be exploited with the NoSQL Injection will be as below:

const query = ‘a’==’a&password=admin

An example of the syntax that run in the background and we will able to understand more by clicking here
Demonstration on the Injection Attack

The link here will show the full walkthrough of the machine.

We managed to access the login page for the Shoppy Admin

Whenever I see a login page, I normally try the SQL Injection attack method but I found out that the page is vulnerable to NoSQL Injection.

Let’s inspect the packet via burpsuite and key-in the attack parameter such as ‘;

The vulnerable code explain that the application will recognized the code as true

You may also like

Leave a Comment


Cybernonstop is created to bring news and knowledge through articles to visitors.

Do not forget to subscribe.

Laest News

@2021 – All Right Reserved. Designed and Developed by PenciDesign