Nosqli is a powerful NOSQL injection command line interface tool, in essence, it is a NOSQL scan and injection tool. NOSQLI is based on Go language development, is an easy-to-use NOSQL injection tool, providing a complete command line interface, and supports security researchers to customize their own needs.

The tool has a very fast run, and the scan results are accurate and high availability. In addition, the use of its command line interface is also very simple.


NOSQLI currently supports NOSQL injection detection for MongoDB, which is currently performing the following tests:

Based on the wrong test: Inject various characters and payload, scan known Mongo error response; Boolean blind test: PAYLOAD containing True / False parameters, and try to determine if there is an injection point; time-based test: Try to go to the target Server injection time delay, and determines whether there is an injection point according to the response;

Tool download

The majority of researchers please visit the project’s Releases page and now the latest version of NOSQLI for the operating system. After the download is complete, install it in the specified path, or run directly from the local file directory.


Tool use

Various researchers can directly run injects commands directly or view help information directly according to the following.

$ NosqliNoSQLInjectorisaCLItoolfortestingDatastoresthatdonotdependonSQLasaquerylanguage.nosqliaimstobeasimpleautomationtoolforidentifyingandexploitingNoSQLInjectionvectors.Usage: nosqli [command] AvailableCommands: helpHelpaboutanycommandscanScanendpointforNoSQLInjectionvectorsversionPrintsthecurrentversionFlags: – configstringconfigfile (defaultis $ HOME / .nosqli.yaml) -d, – datastringSpecifydefaultpostdata (shouldnotincludeanyinjectionstrings) -h, – helphelpfornosqli-p, – proxystringProxyrequeststhroughthisproxyURL. DefaultstoHTTP_PROXYenvironmentvariable.-r, – requeststringLoadinarequestfromafile, suchasarequestgeneratedinBurporZAP.-t, – targetstringtargeturleg.http: // arg = 1-u, – user-agentstringSpecifyauseragentUse “nosqli [command] – help” formoreinformationaboutacommand?. $ nosqliscan-thttp: // localhost: 4000 / user / lookup username = testRunningErrorbasedscan … RunningBooleanbasedscan … FoundErrorbasedNoSQLInjection:? URL: http: // localhost: 4000 / user / lookup = & username = testparam:? usernameInjection: username = ‘

You can use the NodeJS application with a vulnerability or other NOSQL injection experimental platform to test the use of the tool.

Source code construction

If you want to build a source code yourself, or perform the source code for a specific platform, you can follow the project source to local, then install dependencies, and finally build projects. Here is required to install the latest GO development vision on the device, and then configure the GOPATH environment variable.

$ gitclonehttps: // #@goinstall or all Nosqli-h run test

This tool comes with a test kit, researchers can run Go Test to make simple injection detection in the root directory of the project:

Gotest. / …

In addition, NOSQLI also provides test sets that are injecting for use-by-mounted attacked applications.To use an integrated test, install and run an affected NodeJSmongo into the application, or I provide PHP LAB.Next, we need to provide integrated parameters when running commands:

Gotest./…-ARGS-INTEGRATION =true

project address