How to Exploit and Defend Against MongoDB Injection Attacks

FreeBuf Encyclopedia: MongoDB Overview

MongoDB is an open‑source NoSQL database that stores data in a JSON‑like format, offering flexible schemas and fast query capabilities.

Why Use MongoDB?

It can handle up to a billion operations per second and excels in scenarios where relational databases struggle, such as unstructured, semi‑automated, or highly scalable data requirements.

Attack Demonstration

Case 1 – Basic PHP Injection

A PHP page receives an id via a GET request and uses it to query the users collection in the security database. By passing an array with MongoDB operators, the attacker can modify the query so that all documents except the one with id=2 are returned.

The resulting MongoDB query looks like: { "u_id": { "$ne": 2 } } Case 2 – Using findOne

The second example switches to db.collection.findOne(), which returns the first document matching the criteria. By crafting the query to close the original statement and inject a new condition, the attacker can retrieve a specific document (e.g., id=2).

Enumerating Database Information

To discover the database name, use db.getName(). To list all collections, use db.getCollectionNames(). Once the users collection is identified, its contents can be retrieved with queries such as db.users.find() or by indexing, e.g., db.users.find()[2].

Defensive Techniques

To prevent array‑based injection, sanitize input before constructing the query. One approach is to collapse the array into a string using implode(): implode(',', $array) Another method is to escape special characters with addslashes() and apply a regular expression to strip dangerous symbols: $safe = preg_replace('/[\$\{\}]/', '', addslashes($input)); Applying these measures stops the attacker from breaking the original query structure.

Source: FreeBuf (http://www.freebuf.com/articles/web/106085.html)