Burp Suite User Forum

Login to post

Exploiting NoSQL operator injection to extract unknown fields -- What am I missing?

Patrick | Last updated: Sep 27, 2023 02:31AM UTC

I found a hidden field and (after a lot of effort) extracted what would seem like a key value for said field... but for the life of me, can't figure out how on earth to use it... tried putting into header, cookie, using it in place of password, using it in place of username... if there was a way to actually *receive* an email, then I'd suspect it'd come in VERY handy, but at an absolute loss...

Kin | Last updated: Sep 27, 2023 07:22AM UTC

Me too. I found the hidden field also.. but don't know how to use it. Maybe the question should submit the name of field instead of login?... Maybe the problem set wrong..

Michelle, PortSwigger Agent | Last updated: Sep 27, 2023 02:48PM UTC

We'll be posting the solutions for these labs in a few days, so for now we're not giving too much away. We can confirm it is possible to solve the lab, so have another think about ways you might be able to use what you know :) Good luck!

Patrick | Last updated: Sep 27, 2023 10:34PM UTC

@kin -- Can confirm Michelle is right -- just solved it. @Michelle -- While you're not "wrong", I do feel the lab is highly misleading... not technically difficult, but misleading...

Thịnhh | Last updated: Oct 04, 2023 11:50AM UTC

I used this payload {"username":"carlos","password":{"$ne":"invalid"}, "$where": "Object.keys(this)[3].match('^.{§§}§§.*')" } to retrieve more paramater but the respone code is 500 :))) I watched on youtube it's oke but I when I do it's not working.

Ben, PortSwigger Agent | Last updated: Oct 05, 2023 08:44AM UTC

Hi, Are you able to email us at support@portswigger.net and include some screenshots of what you are seeing?

Thu | Last updated: Oct 15, 2023 05:33AM UTC

I can attest to his issue. Following the official solution, {"username":"carlos","password":{"$ne":"invalid"}, "$where": "Object.keys(this)[3].match('^.{0}a.*')"} will result us '500 Internal Server Error', even though the payload isn't supposed to match, while Object.keys(this)[2].match('^.{0}a.*') will just return 'Invalid username or password'. We can figure out all of Object.keys(this)[0], [1] and [2] as '_id', 'username' and 'password' but it seems there isn't another fieldname there anymore. It used to work since most of the community solutions were working at one point.

Thu | Last updated: Oct 15, 2023 05:37AM UTC

Sorry, above comment is meant for @Thịnhh and for 'Thịnhh | Last updated: Oct 04, 2023 11:50AM UTC' comment.

Ben, PortSwigger Agent | Last updated: Oct 16, 2023 09:25AM UTC

Hi, Have you carried out the reset of the 'carlos' user that is detailed in step 4 of the solution?

Thu | Last updated: Oct 17, 2023 08:30AM UTC

@Ben, PortSwigger Agent -- My bad. I misunderstood the step 4 as you pointed out. Greatly appreciate the help though!

You need to Log in to post a reply. Or register here, for free.