• caglararli@hotmail.com
  • 05386281520

MongoDB NoSQLi in Cockpit CMS – use of $func?

Çağlar Arlı      -    7 Views

MongoDB NoSQLi in Cockpit CMS – use of $func?

Please explain how this recent Cockpit CMS exploit works, specifically using the $func operator of the MongoLite library, in more detail. How does it exactly make the PHP code behave?

As I understand it, the PHP code uses MongoLite to connect to MongoDB, and the vulnerability is the PHP code allowing an array to be provided in JSON/BSON rather than a string.

The array uses $func to call var_dump, and dumps the variable 'user' to expose all user data in the database.

  • Isn't Mongolite an R library?
  • How does var_dump know to read the user variable? How does that look in terms of the process in the PHP code and access to the database? After compromising the machine, it seems to even use an Sqlite3 db.
  • NoSQLi is read-only after MongoDB version 2.4?

On a related note, could you point me to an example and resource about abusing PHP’s built-in associative array processing?