webPromedium

Lab 37 — WriteFlow — NoSQL Injection via Nested $where in Mongoose Populate

hackadvisor

Task: Node.js/Express blogging platform using MongoDB/Mongoose with server-side author role filtering in populate() match conditions, and a JSON-accepting authorFilter parameter. Solution: inject {\"role\":\"admin\"} via authorFilter to override the default role exclusion in Mongoose populate match, revealing hidden admin-only posts containing the flag.

$ ls tags/ techniques/

nodejs access_control authorization_bypass express mongodb mongoose decoy_flag nosql_injection populate json_parameter

nosql_injection_via_json_parametermongoose_populate_match_overrideauthorization_bypass_via_filter_manipulationhidden_content_discovery

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 328 — DataNest — NoSQL Operator Injection in Authentication— hackadvisor
[web][Pro]Lab 105 — WriteFlow — Indirect Prompt Injection via Document Analysis— hackadvisor
[web][Pro]Lab 326 — PulseBoard — NoSQL Injection in Authentication— hackadvisor
[web][Pro]Lab 329 — PipelineIQ — NoSQL Injection Authentication Bypass— hackadvisor
[web][Pro]Lab 375 — PageFlow — Web Cache Deception via Path Normalization— hackadvisor