I have got stuck the module,I used script to find the hint on some page. but when i submit the hint ,it always invalid. The hint That I ran script changed every time.
Someone can have other information for me? Thanks!
The responses are not always same if you are trying to test true or false with the vulnerable parameter like only one character.
1 Like
Thanks for your help! I have solved the problem.Thanks!
can you help me i am not solving 
can someone help me
I’m still stuck.
Even after understanding the hints that there is one type of injection which could give me feedback if it is parsing the query to the DB, I get “login failed”
Trying the other parameters on the URLs I’m not able to retrieve no hash nor password.
Any hints?
Nevermind…
Got it
For people struggling… If you can’t come up with an algorithm, just enumerate it manually!
Happy hunting
I’m feeling very silly; I’m not making any real progression for this assessment.
I identified a valid user, but only by observing changes in error messaging. I haven’t seen anything across the pages of the app I’ve encountered that is suggestive of a NoSQL injection vulnerability. The lone possible exception was in observing the Werkzeug parameter error message when editing a POST variable from something like username to username[$regex], but that was just in stipulating the parameter was otherwise missing.
I could use a hand, if you’re offering.
Some of the early comments have given some hints which technique you should use.
There is something else which could direct you and is normally used whenever you don’t know the password. It has some characters which you could enumerate just like in the module’s session with a bit of tweaking on the payload.
Thanks friend!
It turned out my issue was payload formatting. I ended up leveraging Google-able tool to identify the parameter/payload, which then made the rest of the assessment fall into place.
You do not need the password. The password is a red hearing. Try to exfil something else that will get you access into the application.
can you help me,I need your hint,thanks
Anyone willing to drop a nudge on how to approach this assestment?
EDIT: NVM, got it!
I’m stuck i figure out b*** works when you send the requests (.) but I don’t understand how can I build my payload with the time.
I’ve found out how to inject JavaScript into the POST data of the login form and was able to enumerate the username. Using the same technique, I wasn’t able to enumerate the password (assuming that the database fields are “username” and “password”). Any ideas?
There is something else you can enumerate that is used whenever a user doesn’t remember their password. 
1 Like
That was the right hint. Was looking for the wrong thing. Thank you!
Please help! I see the injection point and can even make the application sleep for however long. I also see where I don’t really need the password through another page, but I can’t find any injection point on that page. I have a feeling there are two different methods to get past this, and I can’t make either one work!
I got it. Anyone looking for a gentle nudge can find me on Discord with the same username.
anyone that need help can also contact me directly