MongoDB Injection 02
This exercise is one of our challenges on vulnerabilities related to MongoDB
In this example, we focus on retrieving information from a NoSQL database by leveraging blind injection techniques. By understanding the structure and behavior of the application, we can infer the existence of a password field and use regular expressions to confirm our suspicions. Through a series of crafted queries, we can distinguish between true and false states, allowing us to script the exploitation process to retrieve the admin password.
The lab also includes a detailed source code review of the challenge 'Mongo 02,' where we analyze the Ruby application using Sinatra and MongoMapper libraries. We identify vulnerabilities in the code, such as unsafe string interpolation, which can be exploited to perform NoSQL injection. This allows an attacker to access and dump the contents of the database, ultimately retrieving the key (admin password) required to solve the exercise.