MongoDB

Simple injection

by YesWeHack
drag_indicator
info
drag_indicator
inputs
drag_indicator
inspect

The most Basic Mongo injection ever

Try to find a way to login as admin.

Hints

Hint #1
expand_more

You are not restricted to string with mongo, try to submit an object

Hint #2
expand_more

You can use mongo operator like $eq or $ne

Solution

Read the solution
expand_more

$pass =

{"$ne": "test"}

Explanation

Instead of submitting a string, an object is send.

This make the query return all user with the name admin and the password not equal ($ne) to "test"

drag_indicator
waf
INPUT
OUTPUT
drag_indicator
code
drag_indicator
result