Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Exploiting NoSQL operator injection to extract unknown fields -- What am I missing?

Patrick | Last updated: Sep 27, 2023 02:31AM UTC

I found a hidden field and (after a lot of effort) extracted what would seem like a key value for said field... but for the life of me, can't figure out how on earth to use it... tried putting into header, cookie, using it in place of password, using it in place of username... if there was a way to actually *receive* an email, then I'd suspect it'd come in VERY handy, but at an absolute loss...

Kin | Last updated: Sep 27, 2023 07:22AM UTC

Me too. I found the hidden field also.. but don't know how to use it. Maybe the question should submit the name of field instead of login?... Maybe the problem set wrong..

Michelle, PortSwigger Agent | Last updated: Sep 27, 2023 02:48PM UTC

We'll be posting the solutions for these labs in a few days, so for now we're not giving too much away. We can confirm it is possible to solve the lab, so have another think about ways you might be able to use what you know :) Good luck!

Patrick | Last updated: Sep 27, 2023 10:34PM UTC

@kin -- Can confirm Michelle is right -- just solved it. @Michelle -- While you're not "wrong", I do feel the lab is highly misleading... not technically difficult, but misleading...

Thịnhh | Last updated: Oct 04, 2023 11:50AM UTC

I used this payload {"username":"carlos","password":{"$ne":"invalid"}, "$where": "Object.keys(this)[3].match('^.{§§}§§.*')" } to retrieve more paramater but the respone code is 500 :))) I watched on youtube it's oke but I when I do it's not working.

Ben, PortSwigger Agent | Last updated: Oct 05, 2023 08:44AM UTC

Hi, Are you able to email us at support@portswigger.net and include some screenshots of what you are seeing?

Thu | Last updated: Oct 15, 2023 05:33AM UTC

I can attest to his issue. Following the official solution, {"username":"carlos","password":{"$ne":"invalid"}, "$where": "Object.keys(this)[3].match('^.{0}a.*')"} will result us '500 Internal Server Error', even though the payload isn't supposed to match, while Object.keys(this)[2].match('^.{0}a.*') will just return 'Invalid username or password'. We can figure out all of Object.keys(this)[0], [1] and [2] as '_id', 'username' and 'password' but it seems there isn't another fieldname there anymore. It used to work since most of the community solutions were working at one point.

Thu | Last updated: Oct 15, 2023 05:37AM UTC

Sorry, above comment is meant for @Thịnhh and for 'Thịnhh | Last updated: Oct 04, 2023 11:50AM UTC' comment.

Ben, PortSwigger Agent | Last updated: Oct 16, 2023 09:25AM UTC

Hi, Have you carried out the reset of the 'carlos' user that is detailed in step 4 of the solution?

Thu | Last updated: Oct 17, 2023 08:30AM UTC

@Ben, PortSwigger Agent -- My bad. I misunderstood the step 4 as you pointed out. Greatly appreciate the help though!

Antony | Last updated: Oct 07, 2024 07:47PM UTC

Hello! For the fourth field using the following payload {"username":"carlos","password":{ "$ne":"invalid"}, "$where":"Object.keys(this)[3].match('^.{0}r.*')" } I am enumerating an object field called "email" not "resetpwdToken" as expected. For clarity I have: 0 - id 1 - username 2 - password 3 - email <-- ? Any ideas?

Antony | Last updated: Oct 07, 2024 07:54PM UTC

Nevermind found it. Didnt do password reset initially.

BJT | Last updated: Oct 09, 2024 01:15AM UTC

@Antony. Could you share how you solve this lab? I've encountered and found the same field name for the fourth one. But I still cannot solve the lab. Sincerely appreciate.

mazhar | Last updated: Oct 14, 2024 07:12AM UTC

for anyone asking for the third coulmn in enumerating the database is email not the resetpwdToken. you should first submit a post request in forget password for the hidden field to be created. then enumerate with index [4] like this => "Object.keys(this)[4].match('^.{§0§}§a§.*')". then you should get the hidden fieldName. then ennumerate on it again to get the token "this.unlockToken.match('^.{§0§}§a§.*')".

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.