Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use Nosqli, a command line interface tool for NoSql injection, and the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Nosqli

Nosqli is a powerful NoSql injection command line interface tool. In essence, it is a NoSQL scanning and injection tool. Developed based on the Go language, Nosqli is an easy-to-use NoSql injection tool, provides a complete command line interface, and allows security researchers to customize the configuration according to their own needs.

The tool runs very fast, with accurate scanning results and high availability. In addition, the use of its command line interface is also very simple.

Function introduction

Nosqli currently supports NoSql injection detection for MongoDB, and the tool can currently perform the following tests:

Error-based testing: injecting various characters and Payload, scanning for known Mongo error responses

Boolean blind injection test: inject Payload containing True/False parameters and try to determine whether there is an injection point

Time-based testing: try to inject time delay into the target server and determine whether there is an injection point based on the response

Tool download

For researchers, please visit the Releases page of the project directly and now correspond to the latest version of the operating system, Nosqli. After the download is complete, install it in the specified path or run it directly from the local file directory.

Tool use

The majority of researchers can directly run the injection command or view help information in the following ways.

$nosqliNoSQLInjector is a CLI tool for testing Datastores thatdo not depend on SQL as a query language. Nosqli aims to be a simple automation tool for identifying and exploitingNoSQL Injection vectors. Usage: nosqli [command] Available Commands: help Help about any command scan Scan endpoint for NoSQL Injection vectors version Prints the current version Flags:-- config string config file (default is $HOME/.nosqli.yaml)-d,-- data string Specify default post data (should not include any injection strings)-h,-- help help for nosqli-p,-- proxy string Proxy requests through this proxy URL. Defaults to HTTP_PROXY environment variable. -r,-- request string Load in a request from a file, such as a request generated in Burp or ZAP. -t,-- target string target url eg. Http://site.com/page?arg=1-u,-- user-agent string Specify a user agent Use "nosqli [command]-- help" for more information about a command. $nosqli scan-t http://localhost:4000/user/lookup?username=testRunning Error based scan...Running Boolean based scan...Found Error based NoSQL Injection: URL: http://localhost:4000/user/lookup?=&username=test param: username Injection: username='

You can use vulnerable NodeJS applications or other NoSql injection experimental platforms to test the use of the tool.

Source code construction

If you want to build the source code yourself, or compile the source code for a specific platform, you can clone the project source code locally in the following ways, then install dependencies, and finally build the project manually. This requires that the latest Go development vision is installed on the device, and then the GOPATH environment variable is configured.

$git clone https://github.com/Charlie-belmer/nosqli$ cd nosqli$ go get. /.. $go install$ nosqli-h run the test

The tool comes with a test suite that allows researchers to run go test from the root of the project for simple injection detection:

Go test. /...

In addition, Nosqli provides a test suite for injection against known vulnerable applications running locally. To use integration testing, install and run the vulnerable NodeJS Mongo injection application, or the PHP Lab I provided. Next, we need to provide the integration parameters when running the command:

Go test. /...-args-integrations=true on how to use the NoSql injection command line interface tool Nosqli is shared here. I hope the above content can be helpful to everyone and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.