Foothold

Back to the login page. I noticed that every time I would insert a single ' into the username field the request would just die. This led me down an SQL injection rabbit hole that led me nowhere until I found something about it possibly being a NoSQL injection vulnerability

Definitely learnt something new that added an entirely new page to my webapp checklist 😄

NoSQL injection | Web Security AcademyWebSecAcademy

Lab: Exploiting NoSQL operator injection to bypass authentication | Web Security AcademyWebSecAcademy

Change Content-Typeand parameter format to json

We get the same response when we send the request but if we miss a parameter we error out

Note this for later

Injecting query operators didnt end up working so I turned to Ippsec and he displayed the following payload to append

We get a valid login

Using the same payload we can find all users within the database

Log into the Mattermost application

And dont be rude