NoSQL Injection Exploited in Wild Goose Hunt Challenge
/ 1 min read
🦢 Successful Exploitation of NoSQL Injection in Wild Goose Hunt Challenge. The Wild Goose Hunt challenge features a retro-styled web login form utilizing MongoDB as its NoSQL database, which lacks input sanitization, making it vulnerable to NoSQL Injection (NoSQLi). Local testing revealed that the application could be exploited by sending crafted payloads through Burp Suite, allowing for brute-forcing of the admin user’s password. A Python script was developed to automate the brute-force process, confirming the vulnerability and successfully capturing the flag. This write-up highlights the steps taken to exploit the NoSQLi vulnerability and the techniques used to retrieve sensitive information.
Source

Original