Forum Discussion
Bronze IITrick or Treat on Specter Street: Manor of Madness
Don’t focus on cookies.its just a trap.i wasted hours on tampering those. Just focus on query.
ThreatWhispererthis query you can try on both fields separately or inject in both fields at a time.It will give a time based.you can try tweaking with true conditon
this.name == 'a'; sleep(5000)
Bronze IIINot sure what you're trying but you can solve it using SQL injection techniques
I don't want to be too specific and give away too much
Bronze IILewisMutton I tried almost every NoSQL injection payloads and no luck.
Do we need to change anything like Auth token or content type??
if you have payload, can you give more hint to solve it
- LewisMutton
Think about closing the string early and appending a boolean expression using OR (||) that includes the keyword name in the query.
I did the same thing got all the way to the final Q using the same simple injection and then got a bit stuck, but got there in the end! 
ThreatWhispererFor what it's worth, I managed to get through all but the last task with a very (very) simple NoSQL injection, and always the same one, with no other tricks.
Now I'm stuck on the last task, where all the NoSQL injections I've tried aren't working, and I see also a session cookie involved, but so far I haven't been able to figure out what's needed...
- immervivesolver
Don’t focus on cookies.its just a trap.i wasted hours on tampering those. Just focus on query.
ThreatWhispererthis query you can try on both fields separately or inject in both fields at a time.It will give a time based.you can try tweaking with true conditon
this.name == 'a'; sleep(5000)
- ThreatWhisperer
Thanks, I kind of understand, but I'm struggling too much...
The other steps were very basic injections, but this one is too complex for me, without a real NoSQL and NoSQL injection knowledge. I tried many combinations and got lots of 5000 internal server errors, some bad requests, and a few times I was seeing the delay in burp, but then I was getting the error message like in the web page.
- immervivesolver
I tried exploiting $where function by injecting in both fields in same query and was able to solve the lab
