search

codingo / NoSQLMap

Automated NoSQL database enumeration and web application exploitation tool.
GNU General Public License v3.0
2.88k stars 577 forks source link

URL Encoding resulting in false negatives #67

Closed kildonan5 closed 4 years ago

kildonan5 commented 6 years ago

What's the problem (or question)?

NoSQLMap does url encoding of parameters, including the = which causes unexpected behavior (false negatives) when running vulnerability checks in some applications. For example, in an application I am currently pen testing, if I do a query in a browser, with a the target param blank such as; https://url/program.py?Param= Every possible row is returned (essentially no filter is applied so everything is selected). If I provide a non existent value, such as https://url/program.py?Param=xxx No rows are returned, since there are no matching records (as expected).

Choosing a 3 (random) character test string, this is the url that NoSQLMap requests (substituting xxx with the 3 character string); https://url/program.py?Param%3Dxxx In this application all row are returned for the baseline, because the %3D (encoded "=") is not properly handled. Its unclear to me what is at fault here (the web server? the application itself?) but its clear the app does not behave as expected when the request url's are encoded. I believe this may have worked before the function "urllib.quote_plus" was introduced to the nsmweb.py file, but I hadnt tried this tool prior to this week.

Do you have an idea for a solution?

I modified line 968 of nsmweb.py from; uriArray[x]=split_uri[0]+"?"+urllib.quote_plus(uriArray[x][:-1]) To; uriArray[x]=split_uri[0]+"?"+uriArray[x][:-1]

This resolved the issue for me and the false negatives dissapeared.

How can we reproduce the issue?

Its unclear to me what is at fault in my scenario. It is probably the application (the python script) not properly handling url encoding, in which case you would need to setup an app that tried to read the url parameters as "Raw" strings.

What are the running context details?

NoSQLMap v0.7 (i pulled from git this week).

kildonan5 commented 6 years ago

from some further testing actually, the url encoding is still necessary, otherwise the injection is just resulting in stack traces. the issue is the = cant be url encoded (thats whats causing the issue).

github-actions[bot] commented 4 years ago

Stale issue message