Dumping Data with NoSQL Injection via Regex and Python

Показать описание

00:00 - Introduction talking about the application we are testing and identifying NoSQL Injection with $ne
02:30 - Showing the RegEx Operator, which will let us do partial matches and enable us to validate characters one at a time
03:32 - Start of sponsored shoutout to snyk
04:15 - Showing Snyk find some vulnerabilities with Open Source Security
04:40 - Showing Snyk's Code Security
05:54 - Showing and talking about how to patch the vulnerability
07:37 - End of Snyk Shoutout, starting our python script to perform this NoSQL Injection
10:20 - Testing out our test_login logic to identify if we had a successful login or not
11:05 - Showing how we can identify the length of the string we want
13:20 - Creating a loop to automatically identify the length of the string
15:20 - Adding exception handling to the function and talking about the benefits
17:40 - Creating a function to get the username
20:30 - Explaining what our Get_Username function currently does
22:25 - Doing a benchmark on our first iteration of the script and seeing it takes slightly over 3 minutes
24:10 - Adding in a break so it doesn't loop over the full character set every time which gets us to 32 seconds
26:00 - Talking about the major optimization trick we are going to do, validating multiple characters at one time
27:20 - Breaking the enumerating a single character into its own function for exception-handling purposes
29:20 - Start of coding the optimization trick
35:06 - Running our code and seeing we got it down to 12 seconds. Moving on to testing the password.

IppSec

Рекомендации по теме

Комментарии

Excellent video Ippsec and happy birthday!

jmpeax

I only watched the first 2 minutes of this video, now I feel compelled to watch it all, lol.

AUBCodeII

We appreciate your knowledge sharing with us!

nikitabohuslavskii

Hi, cool video. Just a random contrib: you don't need a try-except block to write a raise statement, you can just call it; also python loops have else statements, then you can put an else if the loop reaches the end without break it. Example:

for i in range(10):
# blah blah
else:
raise Exception("Loop didn't broke it")

jrmiasmg

I only watched halfway, but before I forget about it:
- catching exceptions only to re-raise them is redundant, just let them bubble through to save on try-except indentations
- the proxies variable should be globally defined right after the imports, so it's easy for anyone to find and modify (can be {} for no proxy)
It's so easy when you're just watching and not doing the thinking and commenting.
Edit: Fixed in video
- there's no break to jump out of the for-loop when a valid character is found, so useless requests will continue to happen (I'm sure this will be fixed once I resume the video)
- there is no feedback (yet) in case the username char to be guessed doesn't exist in the charset, unlike exhausting all possible username lengths
- no need to re-assign charset on every function call, charset should be a global constant or variable
- - fixed because optimization modifies that function-level charset. However I'd still define a global charset constant on top so you can easily swap it

spacenomad