No Sql Injection

Challenge Description

Can you try to get access to this website to get the flag?

You can download the source here.The website is running here.

Can you log in?

---

Solution

First download the given file and extract it.

Analysing the Source Code

On surfing through the given source code, came across the model user.ts, which has a key token with default value set to Flag.

If you take a look at the route.ts file, they haven't sanitized the input and as well as directly insert the data in the NoSQL query and thus it is vulnerable to No SQL injection. Also on successfully login, the server responds with the entire user object of the user that we have logged in as, which contains the key token with the flag as value.

And also in the seed.ts file, found a email id joshiriya355@mumbama.com.

No SQL Injection

Since, the challenge name is NoSqlInjection, which gives a hint that the application is vulnerable to No SQL Injection, I tried Authentication bypass using No SQL Injection.

I tried to login with the email id we found and the password as the following No SQL Payload.

{"$ne": null}

// $ne -> not equal to
// The above payload checks whether the value is not equal to null
// Obviously, in our case the password is not going to be null,
// so the condition becomes true and we are successfully logged in.

We have succesfully logged in.

Getting the Flag

I captured the above login request with burpsuite. If you check the response of the above POST request in the HTTP histroy tab of burpsuite, you can see that the entire user object is returned, with the flag encoded in base64 form. After decoding this base64 string, you get the flag.

Flag: picoCTF{jBhD2y7XoNzPv_1YxS9Ew5qL0uI6pasql_injection_a2e0d9ef}