Example 2

In Example 1 I was able to login as admin account using NoSQLi but it was possible because admin was the first account returned. What if I wanted to access other accounts as well?

Here the $nin operator can be used.

user[$nin][]=admin&pass[$ne]=sssss&remember=on

Here the operator means not in . In this injection statement all the documents that DO NOT have admin as the username will be returned which will let me know about the other users present in the website.

I got the above user account. Now to look for other accounts I modified the condition as follows.

user[$nin][]=admin&user[$nin][]=pedro&pass[$ne]=ssss&remember=on

Now using the above query and modifying it, I was able to discover four more user accounts.