694 B
694 B
NoSQL Injections
- No tables, but files (collections)
- Examples are Elasticsearch, MongoDB, Redis, CouchDB.
Querying
- Filter instead of SQL queries
- Redis docs
- MongoDB operators
- Elasticsearch docs
Operators
- Most common
$and
$or
$eq
$ne
$gt
$where
$exists
$regex
Tips & Tricks
- Pass HTTP parameter as an array instead of
user=andpassword=useuser[$operator]=fooandpassword[$operator]=bar- 2D array via
user[$nin][]=foo
- 2D array via
Example
- POST or GET parameters
username=admin&password[$ne]=admin