Cheesy Multi-threaded script for NoSQL Injection

This challenge-script is custom-made for web-server running MongoDB which is vulnerable to No-SQL injection.

For this example:

  • Underlying collection on the database contains username and password field
  • Query reflects on URL and admin' && this.password && this.password.match(/.*/)%00 payload works
  • Above payload gives out list of names (eg. admin), if the regex pattern matches

How this script works?

  1. Find the length of password using pattern (/./),(/../),(/.../) and so on..
  2. Find the password from the pre-defined charset by brute-forcing every character like (/^{}/)

For eg. If the password is bac

/^a/ that will return false.

/^b/ that will return true.

/^ba/ that will return true.

/^baa/ that will return false.

/^bab/ that will return false.

/^bac/ that will return true.

  1. At last the password is finally confirmed with regex (/^{}$/)

How to use?

Just provide values to these variables for your use:

  • URL (URL for the web-server)

  • Field (Field on the collection to inject on)

  • Flag (String which contains the unique success result on injection)

Some Optional values are:

  • Password (A part of field value)

  • Requests/sec (Default:10)

  • Password Max length (Default:50)

  • Password length (Exact field length)


View Github