NoSQLi - A Fast NoSQL Injection Scanner
Share this

NoSQLi - A Fast NoSQL Injection Scanner

Last year, I started working on a NoSQL injection framework, because I just didn't find a tool that suited my purposes. Other tools are too hard to automate in my workflow, or missed a lot of the simple test cases I tried.

So I developed nosqli, an open source NoSQL scanner written in Go. It's configurable with command line options, and runs a large number of injection attempts against targets. It's mostly focused on Mongo injections, but does work to a lesser extent against any database that uses JavaScript.

$ nosqli
NoSQLInjector is a CLI tool for testing Datastores that 
do not depend on SQL as a query language. 

nosqli aims to be a simple automation tool for identifying and exploiting 
NoSQL Injection vectors.

Usage:
  nosqli [command]

Available Commands:
  help        Help about any command
  scan        Scan endpoint for NoSQL Injection vectors
  version     Prints the current version

Flags:
      --config string       config file (default is $HOME/.nosqli.yaml)
  -d, --data string         Specify default post data (should not include any injection strings)
  -h, --help                help for nosqli
  -p, --proxy string        Proxy requests through this proxy URL. Defaults to HTTP_PROXY environment variable.
  -r, --request string      Load in a request from a file, such as a request generated in Burp or ZAP.
  -t, --target string       target url eg. http://site.com/page?arg=1
  -u, --user-agent string   Specify a user agent

Use "nosqli [command] --help" for more information about a command.

$ nosqli scan -t http://localhost:4000/user/lookup?username=test
Running Error based scan...
Running Boolean based scan...
Found Error based NoSQL Injection:
  URL: http://localhost:4000/user/lookup?=&username=test
  param: username
  Injection: username='

Using NoSQLi

nosql scanning using nosqli

I tried to keep a simple and flexible CLI interface for scanning. You can pass in a target URL with GET parameters that need to be scanned, or a saved request with POST data. The scanner is smart enough to know if the data is JSON or form data, and will inject either way.

The configurations currently support running through a proxy (so you can view the generated traffic in Burp or similar software) and changing the user agent.

Scanning Types

NoSQLi has the most commonly found injection vectors implemented:

Error Scans: Look for known error strings in responses from the server.

Blind Boolean Injections: When the page doesn't return errors, but does return different data when true or false is returned from the database (or when some records are retrieved vs. no records)

Timing based injections: When all else fails, if the database sends a delayed response after a successful injection.

Using NoSQLi with Requests

A key feature missing from a few scanners I tried previously was the ability to export a request from a proxy and run the injections based on that. NoSQLi can leverage this easily, and keeps all the header information, including things like user agent.

While the tool does not yet support importing a full session log and executing tests against all requests sequentially, saving a standard HTTP request to a file and referencing that file allows repeatable tests, or extraction from other tools such as Burp.

Installing NoSQLi

The github page has all the instructions. You can build from source or download and run the appropriate executable for your system.

Roadmap / Future features

I'd like to support data extraction and specific tests for NoSQL databases beyond MongoDB. If you have ideas, try it out and let me know what else you would like to see!

Charlie Belmer's Image
Charlie Belmer
USA

I live for privacy, security, and online freedom because these are the building blocks of a better society, one I want to help create.