This is a Blind NoSQL Injection attack.
- Recognize the NoSQL Injection vulnerability using this payload:
GET /api/posts?title[%24ne]=
.
- Develop an exploit that attempts to scan for the string “flag” in the post contents using the MongoDB $where operator:
/api/posts?%24where=function(){return%20this.content.includes('flag')}
.
- The response returned for the above injection payload tells us that the flag contents have been redacted by the server. Develop a script that lets us enumerate the characters in the flag based on this response (see section titled Enumerating the Flag Alphabet).
- Adapt the script from step 3 to leak the flag using the alphabet that we enumerated and the response of the server (see the section titled Disclosing the Flag).
Pr0f1t!