NoSQLi Lab

With the rise in popularity of NoSQL I figured it was time to build a lab so I could have a play with the different techniques used to attack them. This was the result...

Seeing as I've already played with Redis for some development work I decided to go with MongoDB here. I have built two different scenarios in this lab, an equivalent of the SQLi " or 1=1" vulnerability and also a new type of attack, which is specific to NoSQL, script injection. I might add more later but these were good for a start.

The lab is easy to install, the only problem is making sure your Linux distro includes the latest MongoDB drivers for PHP, this is the right one: 

php-mongodb - MongoDB driver for PHP

And this is the wrong one: 

php5-mongo - MongoDB database driver

The lab is available on Github at https://github.com/digininja/nosqlilab. The following shows how to get it working on Debian Stretch. Last time I checked, Jessie uses the older version of the drivers and so wouldn't work. 

apt-get update && apt-get dist-upgrade
apt-get install php-mongodb apache2 vim mongodb git php

cd /var/www/html/
rm index.html 
git clone https://github.com/digininja/nosqlilab

If you then browse to your IP you will hopefully get the lab home page:

The homepage for the site

The first thing to do is to populate the database with the test content, this is done with the "Reset Database" link. If this works you should not see any errors and the page should end with the message "Database Reset Successfully":

Successful resetting the database

If you get a page full of PHP then you have either missed installing PHP or for some reason it is not enabled, start your debugging looking there. If the page starts to render but does not finish and you do not get the success message then it may be that you have not got the MongoDB libraries, check the Apache error log. You can also check by looking at the phpinfo() page, it should look something like this:

phpinfo page showing the correct MongoDB library

Once everything is working there are two vulnerable pages, "Guess The Key" and "User Lookup". I'm not going to go through how to attack them as there are plenty of tutorials on NoSQLi out there. A good place to start is the OWASP Testing for NoSQL injection guide. If you get really stuck, I've provided some sample solutions hidden away in the solutions section.

A blured out solutions page

Any problems with any of it, raise an issue in Github and I'll take a look at it. I'm not a NoSQL expert and most of this has been built by trial and error so if you spot problems, or feel you can improve things, feel free to submit pull requests.

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.

Buy me a smoothieBuy me a smoothie

The Protein Works