Cheesy Multi-threaded script for NoSQL Injection
This challenge-script is custom-made for web-server running MongoDB which is vulnerable to No-SQL injection.
For this example:
- Underlying collection on the database contains username and password field
- Query reflects on URL and
admin' && this.password && this.password.match(/.*/)%00payload works
- Above payload gives out list of names (eg.
admin), if the regex pattern matches
How this script works?
- Find the length of password using pattern
(/.../)and so on..
- Find the password from the pre-defined charset by brute-forcing every character like
For eg. If the password is
/^a/ that will return false.
/^b/ that will return true.
/^ba/ that will return true.
/^baa/ that will return false.
/^bab/ that will return false.
/^bac/ that will return true.
- At last the password is finally confirmed with regex
How to use?
Just provide values to these variables for your use:
URL (URL for the web-server)
Field (Field on the collection to inject on)
Flag (String which contains the unique success result on injection)
Some Optional values are:
Password (A part of field value)
Password Max length (Default:50)
Password length (Exact field length)