[Day 7] Migration Without Security

{Web Exploitation = NoSQLi}

Logging into the server with the given credentials, I was able to interact with the MongoDB and retrieve the first flag.

The following page is being served on port 80/HTTP

Useful MongoDB Operators

$eq - matches records that equal to a certain value

$ne - matches records that are not equal to a certain value

$gt - matches records that are greater than a certain value.

$where - matches records based on Javascript condition

$exists - matches records that have a certain field

$regex - matches records that satisfy certain regular expressions.

Bypassing the login page is as simple as using the $ne operator on the password field.

We're in.

10.10.121.120/search?username[$ne]=admin&role=guest
http://10.10.121.120/search?username=mcskidy&role[$ne]=guest

Last updated

Was this helpful?