This suite consists of two different scripts, made to automate attacks against NoSQL databases.

Related tags

Miscellaneousmongodbnosqlpentestingctf-toolsnosqlinjection
Overview

NoSQL-Attack-Suite

This suite consists of two different scripts, made to automate attacks against NoSQL databases. The first one looks for a NoSQL Auth Bypass in login forms, while the other one can be used to dump credentials from the database if a NoSQL Auth Bypass is possible. These scripts have been tested on Mango and NodeBlog machines from HackTheBox (HTB). Thanks to @IppSec and @an0nlk for giving me ideas about these scripts.

nosql-login-bypass.py

Description

This script checks for GET,POST and JSON encoded POST requests to find a possible NoSQL Auth Bypass. For every type of request it injects a "template" invalid credential and an Auth Bypass Payload. Then it compares both status code and body of the responses to find discrepancies.

Usage

usage: ./nosql-login-bypass.py [-h] [-t T] [-u U] [-p P] [-o O]
optional arguments:
  -h, --help  show this help message and exit
  -t T        Target URL
  -u U        Username parameter
  -p P        Password parameter
  -o O        Other parameters, separated by comma

Example

./nosql-login-bypass.py -t http://staging-order.mango.htb -u username -p password -o "login=login"

The result will express if the login's form is vulnerable to the attack, and in particular for which type of request.

nosql-login-enum.py

Description

This script dumps credentials from the database, character by character. To make this script work, you need to specify the vulnerable request, the response's code and a string from the response's body of an Auth Bypass correctly done.

Usage

usage: ./nosql-login-enum.py [-h] [-t T] [-u U] [-p P] [-o O] [-m M] [-c C] [-s S] [--json]
optional arguments:
  -h, --help  show this help message and exit
  -t T        Target URL
  -u U        Username parameter
  -p P        Password parameter
  -o O        Other parameters, separated by comma
  -m M        Mode: GET or POST
  -c C        Response's code for correct injection
  -s S        Response's string for correct injection
  --json      Json encoded POST request

Example

./nosql-login-enum.py -t http://10.10.11.139/login -u user -p password -m POST -c 200 -s "UHC" --json

This will dump usernames and passwords from the database.

Notes

If there is any problem, feel free to send your pull requests :)

Owner
Road to eCPPT
GitHub Repository
Stori QA Automation Challenge

Stori-QA-Automation-Challenge This is the repository is created for the Stori QA Intern Automation Engineer Challenge! In this you can find the Requir

Daniel Castañeda 0 Feb 20, 2022
A simple python project which control paint brush in microsoft paint app

Paint Buddy In Python A simple python project which control paint brush in micro

Ordinary Pythoneer 1 Dec 27, 2021
Python Freecell Solver

freecell Python Freecell Solver Very early version right now. You can pick a board by changing the file path in freecell.py If you want to play a game

Ben Kaufman 1 Nov 26, 2021
Get a list of content on your Netflix My List that is expiring in the next month or two.

Netflix My List Expiring Movies Annoyed at Netflix for taking away your movies? Now you don't have to be! Installation instructions Install selenium C

24 Aug 06, 2022
Files for QMC Workshop 2021

QMC Workshop 2021 This repository contains the presented slides and example files for the Quantum Monte Carlo (QMC) Workshop 5 October - 23 November,

QMCPACK 39 Nov 04, 2022
These are the scripts used for the project of ‘Assembly of a pan-genome for global cattle reveals missing sequence and novel structural variation, providing new insights into their diversity and evolution history’

script-SV-genotyping These are the scripts used for the project of ‘Assembly of a pan-genome for global cattle reveals missing sequence and novel stru

2 Aug 26, 2022
A python script that automatically joins a zoom meeting based on your timetable.

Zoom Automation A python script that automatically joins a zoom meeting based on your timetable. What does it do? It performs the following processes:

Shourya Gupta 3 Jan 01, 2022
Ultimate Score Server for RealistikOsu

USSR Ultimate Score Server for RealistikOsu (well not just us but it makes the acronym work.) Also I wonder how long this name will last. What is this

RealistikOsu! 15 Dec 14, 2022
Batch generate asset browser previews

When dealing with hundreds of library files it becomes tedious to mark their contents as assets. Using python to automate the process is a perfect fit

54 Dec 24, 2022
Site de gestion de cave à vin utilisant une BDD manipulée avec SQLite3 via Python

cave-vin Site de gestion de cave à vin utilisant une bdd manipulée avec MySQL ACCEDER AU SITE : Pour accéder à votre cave vous aurez besoin de lancer

Elouann Lucas 0 Jul 05, 2022
Viewer for NFO files

NFO Viewer NFO Viewer is a simple viewer for NFO files, which are "ASCII" art in the CP437 codepage. The advantages of using NFO Viewer instead of a t

Osmo Salomaa 114 Dec 29, 2022
LiteX-Acorn-Baseboard is a baseboard developed around the SQRL's Acorn board (or Nite/LiteFury) expanding their possibilities

LiteX-Acorn-Baseboard is a baseboard developed around the SQRL's Acorn board (or Nite/LiteFury) expanding their possibilities

33 Nov 26, 2022
Python3 Interface to numa Linux library

py-libnuma is python3 interface to numa Linux library so that you can set task affinity and memory affinity in python level for your process which can help you to improve your code's performence.

Dalong 13 Nov 10, 2022
Port of the OpenCascade library to JavaScript / WebAssembly using Emscripten

OpenCascade.js A port of the OpenCascade CAD library to JavaScript and WebAssembly via Emscripten. Explore the docs » Examples · Issues · Discuss Proj

Sebastian Alff 347 Jan 08, 2023
The code submitted for the Analytics Vidhya Jobathon - February 2022

Introduction On February 11th, 2022, Analytics Vidhya conducted a 3-day hackathon in data science. The top candidates had the chance to be selected by

11 Nov 21, 2022
This project recreates the R-based RCy3 Cytoscape Automation library as a Python package.

Python library for calling Cytoscape Automation via CyREST

Cytoscape Consortium 40 Dec 22, 2022
A pet facts python api

Pet-Facts-API A pet facts python api Project Links API :- https://pet-facts-api.vercel.app Docs :- https://fayasnoushad.github.io/Pet-Facts-API

Fayas Noushad 3 Dec 18, 2021
Taking the fight to the establishment.

Throwdown Taking the fight to the establishment. Wat? I wanted a simple markdown interpreter in python and/or javascript to output html for my website

Trevor van Hoof 1 Feb 01, 2022
Council Data Project is an open-source project dedicated to providing journalists, activists, researchers, and all members of each community we serve with the tools they need to stay informed and hold their Council Members accountable.

CDP - Self Council Data Project Council Data Project is an open-source project dedicated to providing journalists, activists, researchers, and all mem

1 May 12, 2022
Malicious Document IoC Extractor is a collection of scripts that helps extracting IoCs from various maldoc families.

MDIExtractor Malicious Document IoC Extractor (MDIExtractor) is a collection of scripts that helps extracting IoCs from various maldoc families. Prere

Malwrologist 14 Nov 25, 2022