Tags: blindnosqlinjection web nosql-injection 

Rating:

The writeup starts at 05:29 on the video. The source code of the server was provided for this challenge:
```
import os
import traceback

import pymongo.errors
from flask import Flask, jsonify, render_template, request
from pymongo import MongoClient

app = Flask(__name__)
FLAG = os.getenv("FLAG")
app.config["SECRET_KEY"] = os.getenv("FLASK_SECRET")
mongo_client = MongoClient(connect=False)
db = mongo_client.database

@app.route("/")
def main():
return render_template("index.html")

@app.route("/api/search", methods=["POST"])
def search():
if request.json is None or "search" not in request.json:
return jsonify({"error": "No search provided", "results": []}), 400
try:
results = db.flags.find(
{
"$where": f"this.challenge.includes('{request.json['search']}')"
}, {
"_id": False,
"flag": False
}
).sort("challenge")
except pymongo.errors.PyMongoError:
traceback.print_exc()
return jsonify({"error": "Database error", "results": []}), 500
return jsonify({"error": "", "results": list(results)}), 200

if __name__ == "__main__":
app.run()
```
It has a nosql injection on the /api/search endpoint via the request.json['search'] post parameter. We can send the following payload to bruteforce the flag char by char:
```
{"search":"') == this.flag.includes('flag{h§injection-point§"}
```
flag{hsctf_gacha_game_when?}

Original writeup (https://youtu.be/QKZWyWQSPaw?t=329).