How to find NoSQL Injection

Рет қаралды 9,213

Ryan John

Күн бұрын

Пікірлер: 20

@LEOSTRIBE Жыл бұрын

can you provide all the extensions which are use by you ?

@MsTitoxp Жыл бұрын

Thank you Ryan!

@silenthacker2667 Жыл бұрын

You always make over power video..i am from India love you sir❤❤

@karrivenkatesh1277 Жыл бұрын

Sir can ypi make a video series of CEH certified ethical hacking course

@kennethnwaigwe1213 Жыл бұрын

And pls can you create a video about web app firewall...IDS..and IP bypass tutorials

@KellyFundz-zt3er 6 ай бұрын

I have did all the injections and it's get a 200 ok status code but no interest output

@kennethnwaigwe1213 Жыл бұрын

Great video...💯Pls do you reply to emails...cos I might actually be having a lot of questions that I cant...remember now...???

@KellyFundz-zt3er 6 ай бұрын

Hi how sorry to bother you but I'm having a nosql injection on the parameter Referer

@praveenja3073 Жыл бұрын

Bug bounty tips need sir from India

@ryan_phdsec Жыл бұрын

I will do this next

@iqyou-gw4kd Жыл бұрын

what is nosql inection

@ryan_phdsec Жыл бұрын

They are the newer types of databases that stores data in a non-relational tables. I think they will fade out eventually, but I could be wrong. Most large companies will use some kind of sql database because they are dependable. Small new companies are more likely to use nosql

@iqyou-gw4kd Жыл бұрын

@@ryan_phdsec thank you sir plz explain null bayte injection. And add subtitles Arabic if you can and thank you

@the-avid-engineer Жыл бұрын

I seriously doubt this is a MongoDb injection attack. MongoDb queries do not use `||` to represent “or”, nor "=" to represent equality. MongoDb queries have a JSON-like structure, and an “or” query would be of the form “{$or:[,]}", and an equality criteria would be of the form {"":""} You cannot trick MongoDb with {"username":"admin || 1=1"}

@ceciliahkuriah927 7 ай бұрын

You can use attack a mongodb with either a syntax injection or an operator injection. in his case he used syntax injection. In your case you are using an operator injection. if the application is parsing data input in JSON then try using operator injection.

@the-avid-engineer 6 ай бұрын

⁠⁠@@ceciliahkuriah927 In my case it isn’t an injection - it’s just looking for username equal to `admin || 1=1` which won’t do anything special or unexpected. In the other case, it cannot be attacking mongo because mongo does not have native support for SQL-like syntax. If this application is using SQL-like syntax to talk to mongo, then there must be some non-mongo layer translating the query from SQL-like to mongo-like, and the attack is against that layer, not mongo itself.