The next Alpha release for NoSQLi is ready for use! This version brings a few minor bug fixes and performance enhancements to existing scans. The primary new feature is the addition of certain PHP GET parameter injections.

This means that nosqli now has all the planned injection type detection completed - PHP GET, error based injection, boolean injection, blind boolean injection, and timing based boolean injection tests.

What are PHP GET injections?

In PHP, using brackets in a get parameter converts it into an array. For instance, a normal expected submission for a some parameter might be something like vulnerablesite.com/checkorder?id=12345. When the PHP script retrieves this value, it sees a string containing the expected "12345" value.

However, we could instead modify the URL to something like vulnerablesite.com/checkorder?id[$gt]=12345. The added brackets will convert this value from a string into an array. The same PHP retrieval code will now return an array instead of a string: array {  ["$gt"]=> "something"}.

If this is being passed without proper checking directly into mongo, we have achieved an injection, and can query the database using logic operators like not-equal, less-than, etc. In the example above, the query is modified from array { ["id"] => "12345" } to array { ["id"] => array{ ["$gt"]=> "12345" } }, and mongo will read that value array as a search for id's greater than 12345.

So what exactly is new in this version?

In previous versions, nosqli checked only [$regex] values for injection, and might have caught others if the server was returning MongoDB errors when special characters were tested.

In the latest version, it now explicitly checks for all of these PHP GET injection types for all parameters on a page. It is smart enough to check each parameter alone, and with others (in the case where one parameter is dependant on the value in another)

Grab the latest release on github, take it for a spin, and see what you can find!