The user lookup functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection.

To solve the lab, extract the password for the administrator user, then log in to their account.

You can log in to your own account using the following credentials: wiener:peter.

1. Turn on the Proxy, log in to your account, and send GET /user/lookup?user=wiener to the repeater
2. Change the Value of the user to administrator’ && this.password.length > 5|| ‘a’==’b and send the request, if the length of the admin pass is greater than 5 it will display the details of the Admin else it will through an error.
3. Increase it by one till you get the error, that is the length of the password.
4. Then, send the same request to the Intruder and change to value of the user to administrator’ && this.password[0]==’a , now select this payload and click Ctrl+U to URL encode this payload.
5. Choose Cluster Bomb, Add 0 as a payload and a as a payload.
6. Choose the number list as payload1 and set the length of the password, In my case 0 to 7 — a total of 8 characters step by 1.
7. Then Choose, payload2, and choose brute forcer, set the min and max value to 1 to brute force a single character.
8. Now, click start attack, Notice the length and response of the request.
9. With the help of payload1 as sort the response with length and note down the characters.
10. Use that password to log in to the Admin Account to solve the Lab

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Telegram Channel for Free Ethical Hacking Dumps

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng