Tags: web nosql-injection 

Rating: 4.5

This is a Blind NoSQL Injection attack.

  1. Recognize the NoSQL Injection vulnerability using this payload: GET /api/posts?title[%24ne]=.
  2. Develop an exploit that attempts to scan for the string “flag” in the post contents using the MongoDB $where operator: /api/posts?%24where=function(){return%20this.content.includes('flag')}.
  3. The response returned for the above injection payload tells us that the flag contents have been redacted by the server. Develop a script that lets us enumerate the characters in the flag based on this response (see section titled Enumerating the Flag Alphabet).
  4. Adapt the script from step 3 to leak the flag using the alphabet that we enumerated and the response of the server (see the section titled Disclosing the Flag).
  5. Pr0f1t!
Original writeup (https://ajmalsiddiqui.me/blog/squarectf-2020-deep-web-blog/).