this is a follow up to this thread. So I am trying to perform a NoSQL injection on a web application that is written in Python and connects to a MongoDB backend. The issue I am having is that I am unable to send the single quote character to the MongoDB because the Python code flips out when I include it in my query. Here is the relevant code for the Python app:
condition = form.getvalue('Name')
if condition:
where = {"$where": "this.Name == '"+condition+"'" }
else:
where = ""
{snip}
if where:
for record in collection.find(where):
print "<tr>"
print "<td align=\"center\">"+record["Name"]+"</td>"
When I try to pass a single quote through the "Name" parameter via a POST request, I get the following error:
42 if where:
=> 43 for record in collection.find(where):
44 print "<tr>"
45 print "<td align=\"center\">"+record["Name"]+"</td>"
record undefined, collection = Collection(Database(MongoClient('localhost', 27017), u'test_database'), u'the_names'), collection.find = <bound method Collection.find of Collection(Data...', 27017), u'test_database'), u'the_names')>, where = {'$where': "this.Name == 'test''"}
I'm pretty sure I can't perform the NoSQL injection unless I am able to pass the single quote character to the MongoDB instance, so that I can escape the existing query and start a new one. My question is, how can I not escape the single quote in Python, yet have it escaped in Javascript? I've tried various things like Unicode encoding the single quote but that just caused MongoDB to include it in my query (because it wasn't escaped). Thanks for the help!
