Dumping Data with NoSQL Injection via Regex and Python

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

Key Takeaways

The video demonstrates NoSQL injection techniques using regex and Python, showcasing tools like Docker, MongoDB, and Burp Suite to exploit vulnerabilities in a Node.js application. It covers topics such as regex pattern construction, brute force attacks, and performance optimization.

Full Transcript

what's going on YouTube this is ipsec and this video is going to be all about dumping data out of a mongodb database from a nosql injection and a node.js application to start things off we're just going to use this Docker machine from hack the Box because all you have to do is spin it up and then go to dev.stocker.hdb and you get access to a prompt that is SQL injectable and nosql injectable so let's test this out if we do admin admin and send this over to burp Suite and look at the request we can see uh log and failure just leads to login errors so this is the string we want to look for that we know the connection didn't work but first we should identify this is a node.js application and you can do that either by the cookie the connect.sid is a giveaway also this x powered by Express is a huge giveaway and I keep emphasizing node.js just because mongodb is super common with node.js applications because most developers start with the mean framework which is mongodb Express angular and node so let's just test for SQL injection and to do that we should convert this over to a Json request from xww form URL encoded because when it is Json we can inject an object easier and that is one of the requirements to do this nosql injection so I'm just converting this payload by hand to Json and then we're going to send it and we get login error that is good we're going to send invalid Json just see how the application behaves and we see it's definitely going to be parsing Json hopefully you don't see a full stack trace on a production server because this does leak sensitive information like Dev but um I digress so let's inject an object so we're going to make the parameter um n e which in mongodb this n e is not equals I'm going to say not equals to admin and we're going to copy that for the password so now we're saying let me log in whenever the username and password does not equal admin and it lets us into the application which is great we've logged in but what if we wanted to get data out of this application we can't just bypass authentication but we can use this kind of as Boolean logic with the regular expression modifier for this so if we instead of did n e we did reg X we can just write a regular expression here and when it matches we'll log in so if I just did a it's going to work if there's an A in any of the usernames which isn't really that helpful same with o like this is just matching if it exists in any username but since this is regex we can insert this character this carrot which is this character starts with so now starts with o is failing but if we did starts with a it succeeds so then we can just script out and do a b a c and go to until we get another valid character and then just go down the list until we get this entire regex so this is easily scriptable so we're going to do that and then I'm going to show some ways to optimize it because if we did 0 through 9 A through Z lowercase A through Z uppercase that can take quite a while to go through that whole key space and you can get through that and just like six to seven requests as long as you do some optimization so we'll show that at the very end of the video but first a word from my sponsor which is going to be sneak if you just go to sneak.co ipsec you can do me a huge favor and when you sign up to sneak because I know you're going to want to sign up to it after this I'll get credit for bringing you to the product and to show the product let's just analyze the source code of this website for it to find vulnerabilities right and I've already rooted the Box um you can see in this pane root at stalker I put the web source as dev.tar.gz and copy it to Source on my computer I'm going to run code period just to open up visual studio code where the sneak plugin already installed so if I go over to sneak it's going to start scanning for vulnerabilities and it's got two main scanners the first one is going to be the open source security which goes super fast it just looks at all the libraries that are used and we can see two vulnerabilities in the fast XML parser the Prototype pollution regular expression and it's pulling that from the packagelock.json just saying this version is being used and it's vulnerable you should look into it or update it but the real good thing is going to be the code security module at least that's my favorite thing about the product because it's actually going to scan how your code is used and show you the vulnerabilities like we can see 11 vulnerabilities in index.js if we went to the problems we get a bit more of a description down here like two nosql injections three path traversals I'm telling us we should disable the x-powered buy header there's just a lot of good information here and if we look at it from the code security standpoint and click on it it's going to tell us also um ways we can patch it right here is a nosql injection but it's not one I knew about it's in the API purchase order or PO ID so this is in the URL and we're just doing a mongodb query let me just um change this slightly so we can see it a bit better and we're just doing find by and then saying request.parameters.id so this could be injectable in the same way as our username and it's telling us to just make this a string so let's look at the other um no SQL injection let's see that's send file send file here we go so this is the one where we are doing actual injection into the user and we see the find one username password and if we look at password it tells us the whole flow here so if I click on 48 it says hey it's getting the password from line 48 and it's flowing into here and it's highlighting all the places where it's used and there's no sanitization so you can look through it and see if essentially password just comes straight from the request.body and it's saying to fix it we should just make this dot to string and if it was dot to string here even if we passed it um this Json object it would flatten it and treat the whole thing as a string and not be injectable so there's sneak showing you both the vulnerability and a good way to patch it right and it shows a lot more I'm sure let's see if we go sweet fixture hard coding values that could be a secret so this looks like it's in one of the libraries used has an AWS access key it's an example key so I think this is just a complete example not being used but it does highlight things that are in use or secrets that are in the application that you may not realize and there's example key right here so this is definitely not a real key but I have found keys and just libraries um through this right and again here's one that's a potential denialist service but you can see all the vulnerabilities it is finding in this code right but enough of hunting vulnerabilities this video was about actually exploiting them so let us um make a new directory I'm just going to call it ATK because I'm not creative it's going to be standing for attack and then I'm gonna touch and we'll call it exploit.pi and open up via Studio code in this directory and I can close this one and now let's start our python script and the first thing we do is of course import the request module because we're going to make web request in Python and then the next thing I'm going to do is create a function just test login and then we'll do payload and you can see um GitHub copilot is suggesting this code for me let's just fix this up so we want to go to Dev dot stalker dot htb I think that was it um Dev Docker hdb that is the domain slash login and then for this um I'm going to take the data out and we can say request post URL and Json is equal to payload and then I'm going to do a r dot raise for status and this means if the server errors out it will just cause an error um and have our code stop right then the next thing we can do is say if error is in r dot text then we return false because the um payload was not like the login was unsuccessful right and then we can say return true here because if error is not in r dot text the login was a success and again I'm just showing right here this is a Success login you see no word error right here if we made this invalid we have login error so now I can just do payload is equal to and let us just copy this and I actually don't want to make this a string see this and we need one more there to make this valid and I think we could even go one step and make this a bit prettier and showcase it like this right let's see password this should be unindented will that work let's just print payload and see if it works hi F5 hit enter and we see it indeed does so now I can say if test login payload [Music] print success else print failure right so when we run this we see failed and I'm going to change this to something that's successful so we'll do begins with a and hit enter and we see success so now we have the basic thing of our attack so what we should do first is create another function called get username so we'll do def get username and actually before we do this we should probably get um the length of the username and I haven't talked about this yet but I mean it's regular expression so we can easily showcase this um let's see so what we're going to do here is check for how long this username is and this is only going to work because there's one username in this um if there were multiple usernames then you may have to get tricky it's the username is a really hard one to x-fill just because of how we're doing it it's really good for getting passwords when you know the username because you know there's only going to be one password that goes to that user but for the sake of explanation we're just going to treat the username like this so we're going to create a regular expression that matches everything so A to Z A to Z 0 through 9. and then if we do this bracket it's going to say it's going to go on for one character then two characters then three characters then four characters then five characters then six then seven and now eight is a failure and I think if we said started with 7 and ends with Now 1 is going to be failed two failed three five six and seven so now this string is only going to match um on seven which means this field is seven in length so this is going to be the payload we use so let us copy this paste it in move payload this line and I probably should make this like one line now that I look at it it looked clean but now I don't like it username comma maybe I wanted two lines and this will look better I just don't want this payload to like take up half the screen there we go that should be fine so that is our payload and what we want to do is put a number here so I'm gonna put this in I and in um an F string if you want to put a bracket it's actually two brackets so two brackets is equal to printing a bracket so what this is going to do now is put a number in here so we can say for i n we'll say range of 1 to 64. um or we can do 128. so we'll be able to go 128 characters for a total enumeration and I just want to print payload and then we can comment this out and I can say get length username and all I want to do is see the payload and my number increasing which I actually don't see it we see regex oh no I do 120 there it is um this dollar was throwing me off it's like it's a variable but now we can see that is increasing so now we can just say if test login payload return I so now as soon as it hits a valid one it's going to return and we can print um I shouldn't call that count I should call it length username length username like that of fix the typo l-e-n-g-t-h and now we print and at seven it gets us the length so that's how we know how long this username is the next step is going to be um actually doing the brute forcing logic and before I do that let's wrap this in um a try accept so actually that's let's do try then accept exception as e and we can crazy and here we can say raise exception length username not found sure and this should be after this so what I'm doing here is if we ever go through this whole thing I want to raise an exception so now if I do a try we can do accept exception print e and let's say our length was only four right when I run this it's going to say length of username not found or we should say um unable to get length of username so this is just a good way to handle um exceptions right and let's do if we broke the HTTP request up here I'm just going to say data payload and send it we probably will get a completely no we didn't um let's see different the domain doesn't exist we just did not HB and now the exception is going to be an HTTP connection right so if we didn't use all this exception handling we just know it failed somewhere we didn't know the exact failure and I find this being a more crucial thing as a lot of places start going to like cloudflare and things like that if you don't have proper exception handling it may just fail you think it's your code but really uh cloudflare decided to block you and you never printed the error message out so exception handling I find to be very important when writing python so we got the length of the username now we want to actually get the um actual username so let's do another function of get username and we're going to pass in the length I'm also going to pass in a variable called starts with and we'll say the default is going to be nothing and this is just if we know um the name starts with something we can just type it in and cheat and get the first few characters I don't think we're actually going to use it but we're never doing Boolean injection I always like including that I said width instead of width there we go so the first thing we want to do is start a try Loop and then we can say um the care set so I'm going to do care set is equal to string dot ASCII letters plus string dot digits and let's import string and then the next thing we want to do is Loop over um the length so we know the string or the username is seven characters because we already made that here and let's just get rid of these um squigglies by doing the accept thing so we know that's going to be seven characters and then we're going to say for C in keraset payload is equal to username starts with it got relatively close right so we create the payload it's going to be username and then starts with we have to make this not equal or not not equals reg X and this goes in quotes and then we do an F string of starts with and C and then close that out and what are you erroring about um we can put that in double quotes So it's an F string I guess we could have just done starts with and plus C how it recommended um no reason we could have done that so regex starts with C test login return this and we don't want to return we're just going to say starts with is equal to where plus is equal plus equal so we append C okay and then at the end we return starts with so after seven characters we're going to return this so I think this is going to work so um what we're going to do Loop over the length and then Loop over the character set which is all letters and digits and then put the payload here and on success we will print starts with just so we have some debug and now here we can say get username length username and to speed this up I'm just going to say length username is equal to seven because we already found that out no need to send seven HTTP requests to get it and we have a and then we're going to take a couple seconds and then we're going to go again get G and if you're confused we can always send this to a proxy and this is one thing I love doing um and just looking at the request that way so in this test login we can say proxies is equal to http then http localhost 8080. and then say proxies is equal to proxies I'm going to turn intercept off so we can just look at the HTTP history send this and we see it making all the requests so we can see that's AF that's a k a l a m and it's just going to keep going down the list until it hits a success right so that is how this works um so let's see what the third parameter will be and we got a n g and I sped up the video a little bit just because um I don't want to keep you waiting forever but we can see this isn't the quickest thing um I'm actually going to stop it and then we'll run it but I'm going to run it with a time so we can see how long it takes so I'm going to time um python3 exploit.pi and let's just do that on a clear screen I'm going to pause the video we'll resume and see how long this takes then do the optimization and see how quick we can get it done down to and we want seven characters it printed and Goose but it didn't return yet I realized I forgot one critical thing that would speed this up a lot um in the actual script once we append this we should have a break so we break out of this for Loop because what it did right now is it hit the valid e but it's still brute forcing all the characters it's going through the whole character set even though we definitely don't have to so I am going to fix that one thing before we do the major um speed boost and that will be um getting this down so it's like six to seven requests per character instead of how many is it now if we do let's see a Python 3 import string then we can say lens string Dot ASCII letters plus string dot digits is doing 62 requests for every single character right now but we can get that down to six to seven I forget exactly the number I think it's seven requests per character but still once it hit this e there's no reason for it to keep going right um and burp sweet may be slowing this down as well we see three minutes and five seconds there so what I'm going to do is we're going to run it again so V I'll call it benchmarks.text right so I'm going to say uh full care set plus burp equals 3M 5S so this next one we put the break in I'm going to leave burp just so we don't um ruin the benchmark and we're just going to run it this way and now once it hit a we'll see it immediately goes to the next character um k l m n so after this n I'm going to hit up and it's already going to the third character so this one I'm gonna guess will probably take around um one minute and 20 seconds you can see it's almost done I haven't done any video editing yet and now I may not even bother pausing the video because we're about to get exactly how long it takes so we'll say with break is equal to 32 seconds so we shaved off a full three minutes now let's see how much burp sweet slowed us down because I don't want to keep using burp sweet and then after that I promise you we will do the full optimization so let's run this again and it will probably take I'm gonna guess like 25 seconds I think burp sweet probably around a 10 performance difference so 23 seconds I wasn't that far off but we'll do a break plus burp and then with break no burp is going to be 23 seconds so now let's get over in the code and kind of explain what we're going to do um we're essentially instead of doing a um starts with a so instead of let's see starts with a we're going to say starts with ABCD and take half of it and then if it finds it um we're going to take half of that and we're just going to keep having the care set until we come down to just one character so that's going to be the magic performance trick that we do here but before I do that I want to make one more function because as I'm looking at this I'm kind of puzzled how I can do proper exception handling here if we went through this whole care set and didn't get a match what is a program going to do um it's just going to return where it's at right there's no easy way to set a um to do like exception handling here we could create like a Boolean that says matched and then like if we did match is equal to true then we can say if match starts with um else return false or something but that's not a good way to do it um a good way would be to just break this into its own function so I'm going to say death and we'll say get care username and then starts with and we don't even need the length here so we're just going to say for C and Care set the payload if test login we can just say we'll keep the print there um keep that print and we can say return s with or we just return C actually so we'll return the character and then here we can just put a exception because we should never hit this because we're not going to call git care username on the eighth character because we're already looping the max length we know it right so as long as the character is in our character set we should never hit this spot of our code the other piece I need to do is move character set here there we go and now we can say in this function care is equal to get care username starts with then if care starts with plus equals so this will be the code we use and I'm just going to run this one more time and pause the video just so you know this isn't where the optimization actually came from it's just cleaning up the code right so there you have it 24 seconds which is very close to or 23 Second I think that may just be the latency of the network so let's get into the code and do our optimizations here so we have the um keraset here and what we want to do is keep having this care set so I'm going to introduce a while the length of care set is greater than one okay and we're going to say the guess is equal to the care set and then we're going to grab the first half of the little string so we'll do length care set divided by two and if we wanted to let's see I'm just going to comment this out and we can print guess just so you can see exactly what this is so I'm going to set a breakpoint because I know this piece could be confusing if we look at guests right now before this line or look at care set we see it's the full string I'm going to step over this line and now see what guest did so guess just took that and divided it in half so what that's going to allow us to do is um create a new string and we can just do guess is equal to this plus guess plus bracket so since I'm still here I can just go in debug and paste this and then we look at it and this is the regular expression we want right we're going to say it starts with this and now we can just copy the exact payload we had used before so copy paste and put that here instead of C we're going to put guess like that and we probably should start this with the um carrot for starts with so that looks good and then we can say if test login payload so if it's successful we're going to say care set is equal to care set and then length care set two so we're going to have it again the same way we did else and then we're going to say have it the other way so if it was successful then the character is in this string if it wasn't successful then we're going to go again but take the other side of the string and we're just going to loop around that until we get a success so right here we can return uh care set and I think we want let's just see what this returns so run it it's going to return a so we probably just want care set um so if we have this string which is funky we just get one out of it it's going to get that character so I'm going to do keraset one because we just don't want the brackets so now let's see well one I'll uncomment that I think a code is ready for testing so let's do a Time against this and see how quick it is string out of range well it was two like 1.5 seconds but we had a error so I'm going to run it in this so we can see where that error is I'm gonna guess it's on this care set um so if I print care set like this let's see what's it going to print a and then the second time it fails so let's just set a break point here and we can see what it is so this time it was a the next time it failed let's see so is it failing here hey is out of range for care I don't know what's happening here it's actually failing I think on this return so care set one kset is just a we don't have brackets oh the brackets come from Guess I have no idea what I was thinking there so care set should just be that case it is a that looks good we're going to run it again and I think now it is successfully working um if I just hit the break point and goo so yeah it is working let's go see if we actually optimize this um hopefully we did it's always possible we didn't because maybe um most characters and and Goose could be within the first six of the alphabet but it doesn't look like that so we have with optimizations uh 13 seconds so that is how we would um extract data out of this one character at a time I guess to make sure we fully understand it we can go and do the password right so I'm going to copy get length username because it's very similar what we want to do and we'll say get length password and let's see um oh the we had one to four because we're only testing up to four characters right to make sure we hit that exception so the username we know we want and goose and then the password we're going to do the same thing we had before so I'm just going to copy this instead of deleting it and put it here and goose like that and this should be good and we're going to say I'll comment these and we'll say length password is equal to this and print length password I have a typo fix it and then run it and I'm going to pause the video because this will probably take 40 some seconds to run it was much quicker we got 32 which probably is going to be like an md5 sum or something right so I'm just going to comment that out so we don't run this every time and we'll want to create this function get password so we'll say get password length and get care username will be get care password and then again just copy this put it and we'll say get care password starts with and I'm just going to cheat and we'll say um that because since it's 32 characters I'm making educated guess right now that it's going to be hexadecimal right so we're going to keep all of this land guess yeah that looks good username we just want to put this here and username is going to be and goose so I think this is all we need so we can say get password um 32. and we're going to run it and see exactly how long this takes actually I probably should print where it starts with is I was thinking it's going to be much quicker but instead of seven characters we have to do 32 characters right so here we can print starts with so we can see it getting all the characters as it goes so B then B3 b3e so here we are extracting the password um while that goes there's one thing that I hard coded that I'm laughing at myself for hard coding we have get password the username probably should be a parameter right so let's say get password I'm going to give it username length like that and then get character password is going to be username starts with so now we can say get care password instead of and goose username and username and here is the password for and Goose right there so we can say length password or I can just uncomment this and we'll say print and goose password is equal to 32 characters and then what we can say is get password and Goose length and print and use password is that and then I guess we can see exactly how long this takes to dump his whole password and after this that will be the video and there you go we have successfully extracted the password in 51 seconds and that includes the 32 request prior in order to identify the length of this password that will be the video but before I go I do just want to let you know I create a repository after I recorded this video at ipsec and it's called just um ctf-grips if we do CTF Scripts I'm not sure what's not showing there but we have the exact thing that you saw in this video and I may make some improvements to it or you can commit and improve it but as of right now the initial commit of this is going to be the script you saw in the video so with that being said that's going to be it take care and I will see you all next time

Original Description

Check out Snyk here: https://snyk.co/ippsec 00:00 - Introduction talking about the application we are testing and identifying NoSQL Injection with $ne 02:30 - Showing the RegEx Operator, which will let us do partial matches and enable us to validate characters one at a time 03:32 - Start of sponsored shoutout to snyk 04:15 - Showing Snyk find some vulnerabilities with Open Source Security 04:40 - Showing Snyk's Code Security 05:54 - Showing and talking about how to patch the vulnerability 07:37 - End of Snyk Shoutout, starting our python script to perform this NoSQL Injection 10:20 - Testing out our test_login logic to identify if we had a successful login or not 11:05 - Showing how we can identify the length of the string we want 13:20 - Creating a loop to automatically identify the length of the string 15:20 - Adding exception handling to the function and talking about the benefits 17:40 - Creating a function to get the username 20:30 - Explaining what our Get_Username function currently does 22:25 - Doing a benchmark on our first iteration of the script and seeing it takes slightly over 3 minutes 24:10 - Adding in a break so it doesn't loop over the full character set every time which gets us to 32 seconds 26:00 - Talking about the major optimization trick we are going to do, validating multiple characters at one time 27:20 - Breaking the enumerating a single character into its own function for exception-handling purposes 29:20 - Start of coding the optimization trick 35:06 - Running our code and seeing we got it down to 12 seconds. Moving on to testing the password.
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches viewers how to exploit NoSQL injection vulnerabilities using regex and Python, and how to optimize brute force attacks for password cracking. It covers topics such as vulnerability scanning, denial of service, and performance optimization.

Key Takeaways
  1. Spin up a Docker machine from Hack the Box
  2. Access the MongoDB database at dev.stocker.hdb
  3. Test for SQL injection by converting the request to JSON
  4. Inject an object to bypass authentication
  5. Use regular expression modifier 'regX' to retrieve data
  6. Optimize brute force attacks using regex and Python
💡 NoSQL injection vulnerabilities can be exploited using regex and Python, and optimizing brute force attacks can significantly improve the efficiency of password cracking.

Related Reads

📰
Top 5 Best Regarded & Esteemed Cryptocurrencies Scam Recovery The Most Legitimate Bitcoin Recovery
Learn about the top 5 best regarded cryptocurrencies scam recovery services, including Zeus Crypto Recovery Services, to recover lost Bitcoin and other cryptocurrencies
Dev.to AI
📰
Mitigating Session Hijacking with JA4 Session Binding and AWS WAF Dynamic Label Interpolation
Learn to mitigate session hijacking using JA4 session binding and AWS WAF dynamic label interpolation to protect your web applications
Dev.to · nishikawaakira
📰
How One Missing Check Can Quietly Take Down a “Secure” Infrastructure
A single missing check can compromise a secure infrastructure through a denial-of-service attack, highlighting the importance of thorough security measures
Medium · Cybersecurity
📰
PSBT: Collaborative Bitcoin Transactions
Learn about PSBT, a standard for collaborative Bitcoin transactions, and how it simplifies multi-party transactions
Dev.to · Aturo Phil

Chapters (19)

Introduction talking about the application we are testing and identifying NoSQ
2:30 Showing the RegEx Operator, which will let us do partial matches and enable us
3:32 Start of sponsored shoutout to snyk
4:15 Showing Snyk find some vulnerabilities with Open Source Security
4:40 Showing Snyk's Code Security
5:54 Showing and talking about how to patch the vulnerability
7:37 End of Snyk Shoutout, starting our python script to perform this NoSQL Injecti
10:20 Testing out our test_login logic to identify if we had a successful login or n
11:05 Showing how we can identify the length of the string we want
13:20 Creating a loop to automatically identify the length of the string
15:20 Adding exception handling to the function and talking about the benefits
17:40 Creating a function to get the username
20:30 Explaining what our Get_Username function currently does
22:25 Doing a benchmark on our first iteration of the script and seeing it takes sli
24:10 Adding in a break so it doesn't loop over the full character set every time wh
26:00 Talking about the major optimization trick we are going to do, validating mult
27:20 Breaking the enumerating a single character into its own function for exceptio
29:20 Start of coding the optimization trick
35:06 Running our code and seeing we got it down to 12 seconds. Moving on to testing
Up next
Best VPN For China 2026 — Which One Actually Works?
Tutorial Stack
Watch →