MongoDB-Injection
Cheesy Multi-threaded script for NoSQL Injection
This challenge-script is custom-made for web-server running MongoDB which is vulnerable to No-SQL injection.
For this example:
- Underlying collection on the database contains username and password field
- Query reflects on URL and
admin' && this.password && this.password.match(/.*/)%00payload works - Above payload gives out list of names (eg.
admin), if the regex pattern matches
How this script works?
- Find the length of password using pattern
(/./),(/../),(/.../)and so on.. - Find the password from the pre-defined charset by brute-forcing every character like
(/^{}/)
For eg. If the password is bac
/^a/ that will return false.
/^b/ that will return true.
/^ba/ that will return true.
/^baa/ that will return false.
/^bab/ that will return false.
/^bac/ that will return true.
- At last the password is finally confirmed with regex
(/^{}$/)
How to use?
Just provide values to these variables for your use:
-
URL (URL for the web-server)
-
Field (Field on the collection to inject on)
-
Flag (String which contains the unique success result on injection)
Some Optional values are:
-
Password (A part of field value)
-
Requests/sec (Default:10)
-
Password Max length (Default:50)
-
Password length (Exact field length)
