I'm using MongoDB 4.2 with Express > 4.
I'm trying to execute a NoSQL Injection using node.js. This is the .ejs code of a form with username and password:
<body>
<form action="/login_db/login_db" method="POST" >
<input placeholder="name" name="name"> </br>
<input placeholder="password" name="password"> </br>
<input type="submit" value="submit" id="submit">
</form>
</body>
I have a local MongoDB Database with user that are allowed to get access through the db. This is the .js code:
const MongoClient = require("mongodb").MongoClient;
const ObjectID = require('mongodb').ObjectID;
const dbname = "mydb";
const url = "mongodb://localhost:27017";
const mongoOptions = {useNewUrlParser : true};
const state = {
db : null
};
const connect = (cb) =>{
if(state.db)
cb();
else{
MongoClient.connect(url,mongoOptions,(err,client)=>{
if(err)
cb(err);
else{
state.db = client.db(dbname);
cb();
}
});
}
}
const getPrimaryKey = (_id)=>{
return ObjectID(_id);
}
const getDB = ()=>{
return state.db;
}
module.exports = {getDB,connect,getPrimaryKey};
And this is the .js login_db-route.js:
"use strict"
const router = require('express').Router();
const db = require("../db");
const mongoose = require('mongoose');
const passport = require('passport');
const express = require('express');
const collection = "amministrazione";
const app = express()
const path = require('path');
var bodyParser = require('body-parser')
router.get('/login_db', function(req,res){
console.log('login request');
var cursor = db.getDB().collection(collection).find().toArray(function(err, results) {
res.render('login_db.ejs', {quotes: results, user: req.user});
});
});
router.post('/login_db', function (req, res) {
console.log('login post request');
var name = req.body.name;
var password = req.body.password;
db.getDB().collection(collection).findOne({"name" : name, "password" : password}, (err, result) =>{
if(result == null || result.length == 0){
console.log('user not found '+ err);
return res.render('login_db.ejs',{user: req.user});
}
console.log('User found' + result);
db.getDB().collection(collection).find().toArray((err, result)=>{
if(err) return console.log(err)
res.render('book.ejs', {quotes:result,user: req.user, flag: true});
})
})
});
module.exports = router;
The code that i wrote is vulnerable to nosql injection, but when i try to insert into the form a MongoDB Payload, such as:
{ $gt : "a" }
{ $gt : "a" }
i can't have login success. Where is the problem? Is there a way not to consider the " ?
Thanks to anyone who helped me.
This is your code.
If you pass those parameters, the mongodb query will be like this.
If you want to pass those parameters as query but not string, you can add some code like this.