Using current version 0.5.
Crash when fetching db name.
Injecting on GET request.

Response varied 17660 bytes from random parameter value! Injection works!
Start timing based tests (y/n)? n
MongoDB < 2.4 detected.  Start brute forcing database info (y/n)? y
Getting baseline True query return size...
Got baseline true query length of 12344
Calculating DB name length...
Got database name length of 13 characters.
Database Name:  x e V d t
Traceback (most recent call last):
  File "nosqlmap.py", line 1752, in <module>
    main()
  File "nosqlmap.py", line 60, in main
    mainMenu()
  File "nosqlmap.py", line 112, in mainMenu
    getApps()
  File "nosqlmap.py", line 1078, in getApps
    getDBInfo()
  File "nosqlmap.py", line 1561, in getDBInfo
    charUri = uriArray[16].replace("---","var curdb = db.getName(); if (curdb.charAt(" + str(nameCounter) + ") == '"+ chars[charCounter] + "') { return true; } var dum='a" + "&")
IndexError: string index out of range

It would be nice to support testing through a HTTP Proxy. So one can use Burp to proxy. Think of Corporate Networks with NTLM Auth Proxys.

I am trying to strike with email random string in 16 characters but i get a traceback error:
PS: it is form injection instead url injection

Baseline test-Enter random string size: 16
What format should the random string take?
1-Alphanumeric
2-Letters only
3-Numbers only
4-Email address
Select an option: 4
Using [email protected] for injection testing.

Traceback (most recent call last):
  File "nosqlmap.py", line 761, in <module>
    mainMenu()
  File "nosqlmap.py", line 67, in mainMenu
    mainMenu()
  File "nosqlmap.py", line 48, in mainMenu
    options()
  File "nosqlmap.py", line 121, in options
    options()
  File "nosqlmap.py", line 133, in options
    options()
  File "nosqlmap.py", line 202, in options
    mainMenu()
  File "nosqlmap.py", line 63, in mainMenu
    webApps()
  File "nosqlmap.py", line 349, in webApps
    randomUri = buildUri(appURL,injectString)
  File "nosqlmap.py", line 664, in buildUri
    mainMenu()
  File "nosqlmap.py", line 48, in mainMenu
    options()
  File "nosqlmap.py", line 190, in options
    options()
  File "nosqlmap.py", line 202, in options
    mainMenu()
  File "nosqlmap.py", line 63, in mainMenu
    webApps()
  File "nosqlmap.py", line 349, in webApps
    randomUri = buildUri(appURL,injectString)
  File "nosqlmap.py", line 664, in buildUri
    mainMenu()
  File "nosqlmap.py", line 48, in mainMenu
    options()
  File "nosqlmap.py", line 133, in options
    options()
  File "nosqlmap.py", line 152, in options
    options()
  File "nosqlmap.py", line 202, in options
    mainMenu()
  File "nosqlmap.py", line 63, in mainMenu
    webApps()
  File "nosqlmap.py", line 349, in webApps
    randomUri = buildUri(appURL,injectString)
  File "nosqlmap.py", line 643, in buildUri
    params = split_uri[1].split("&")
IndexError: list index out of range

Hi,

I am testing this application and when i go to option 1 (set options) and i set the target (an IP) and go to option 2 (NoSQL DB Access Attacks) it always outputs that i did not set a target. What am i doing wrong?

When i use the same IP to check for anonymous access it grants me access.

Kind regards,
Ray

-edit-

Checking to see if credentials are needed...
Successful access with no credentials!

I think i forgot to set one of the options, sorry about this topic!

1. Option 4 (Toggle HTTPS) and 9 (Toggle Verbose Mode) aren't saved to the configuration file.

2. Option 6. Despite showing the default being GET one still has to explicitly select the GET option. Otherwise requestHeaders variable is not set and the app erroneously reports that Looks like the server didn't respond. Check your options., while the truth is that line 834 --

   req = urllib2.Request(appURL, None, requestHeaders)

-- just throws an exception because of the undefined requestHeaders variable. So the requestHeaders should by default be initialized with an empty dict and make their way into the configuration file.

Hi, I'm testing a web application which sends and receives JSON objects. That doesn't seem supported since the tools is expecting a traditional parameters.
Could you add a JSON parser as well?

It would be nice to have the testbed code you used in the videos to run this thing against, can you upload that on github?

What's the problem (or question)?

No error or warning message seen when tried to perform "NoSQL DB Access Attacks"

Through Set option, Host IP, Mongo Shell IP and TCP port listener is provides and when 2 option i.e. NOSQL DB Access Attacks is enter i.e. 2. It does not error out. It simply remove 2 and prompt is waiting for you to enter any value.

Do you have an idea for a solution?

When option "2. NoSQL DB Access Attacks" is provided it should work or if there is any mistake it should error out.

How can we reproduce the issue?

1. Installed MongoDB and Create db instance

   show dbs
   use demo
   db.users.save( {username:"demo"} )
   db.users.find()
   show dbs

2. Installed NoSQLMap
3. Run ./noSQLMap and run/selected following options
   3.1 Set the target or host IP to 192.168.104.96
   3.2 Set the Host IP for Mongo/Shells 192.168.104.96
   3.3 Set TCP listener port 4444
   3.4 Now select option 2 i.e. NoSQL DB Access Attack
4. When you hit enter, nothing is happening. No error message or any warning message

What are the running context details?

• Installation method ( zip/tar.gz):

tar.gz

• Client OS (Ubuntu`)

poc@poc3:~/Downloads/NoSQLMap-master$ uname -a

Linux poc3 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

• Program version (python sqlmap.py --version or sqlmap --version depending on installation):

v.07

NoSQLMap==0.7

• Target DBMS (e.g. Mongo):

MongoDB

• Detected WAF/IDS/IPS protection (e.g. ModSecurity or unknown):

Unknown

• Results of manual target assessment

• Relevant console output (if any):

No error or warning message.. Nothing happen when you hit second option i.e. "NoSQLMap DB Access Attacks"

• Exception traceback (if any):
  None

Clone the latest version:

git clone https://github.com/codingo/NoSQLMap.git 

install it:

python setup.py install --user

Run:

bash$ python2 ~/.local/bin/NoSQLMap 

Traceback (most recent call last):
  File "./NoSQLMap", line 6, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 3126, in <module>
    @_call_aside
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 3110, in _call_aside
    f(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 3139, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 581, in _build_master
    ws.require(__requires__)
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 898, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 784, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'NoSQLMap==0.7' distribution was not found and is required by the application

What's the problem (or question)?

I am stuck in the Baseline setup

How can we reproduce the issue?

1. set options for a web app
2. start NoSQL Web Attack
3. select random string size
4. select format of random string size

What are the running context details?

OS : Ubuntu server 18

Output:

App is up! Got response length of 24932 and response time of 0.038 seconds. Starting injection test.

Baseline test-Enter random string size: 2
What format should the random string take?
1-Alphanumeric
2-Letters only
3-Numbers only
4-Email address
Select an option: 1
Select an option: 2
Select an option: 3
Select an option: 4
Select an option: 1
Select an option: 2
Select an option: 3
Select an option: 4
Select an option: 5
Invalid selection.
Select an option: Cry

What's the problem (or question)?

NoSQLMap does url encoding of parameters, including the = which causes unexpected behavior (false negatives) when running vulnerability checks in some applications. For example, in an application I am currently pen testing, if I do a query in a browser, with a the target param blank such as;
https://url/program.py?Param=
Every possible row is returned (essentially no filter is applied so everything is selected).
If I provide a non existent value, such as
https://url/program.py?Param=xxx
No rows are returned, since there are no matching records (as expected).

Choosing a 3 (random) character test string, this is the url that NoSQLMap requests (substituting xxx with the 3 character string);
https://url/program.py?Param%3Dxxx
In this application all row are returned for the baseline, because the %3D (encoded "=") is not properly handled. Its unclear to me what is at fault here (the web server? the application itself?) but its clear the app does not behave as expected when the request url's are encoded. I believe this may have worked before the function "urllib.quote_plus" was introduced to the nsmweb.py file, but I hadnt tried this tool prior to this week.

Do you have an idea for a solution?

I modified line 968 of nsmweb.py from;
uriArray[x]=split_uri[0]+"?"+urllib.quote_plus(uriArray[x][:-1])
To;
uriArray[x]=split_uri[0]+"?"+uriArray[x][:-1]

This resolved the issue for me and the false negatives dissapeared.

How can we reproduce the issue?

Its unclear to me what is at fault in my scenario. It is probably the application (the python script) not properly handling url encoding, in which case you would need to setup an app that tried to read the url parameters as "Raw" strings.

What are the running context details?

NoSQLMap v0.7 (i pulled from git this week).

Because of this commit the script won't run

Error message:

$ python nosqlmap.py

fatal: No annotated tags can describe 'd0de7d468234126992c97d971a8b606f01e4f2e2'.
However, there were unannotated tags: try --tags.
Traceback (most recent call last):
  File "nosqlmap.py", line 758, in <module>
    mainMenu()
  File "nosqlmap.py", line 36, in mainMenu
    label = subprocess.check_output(["git","describe"])
  File "/usr/lib/python2.7/subprocess.py", line 573, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['git', 'describe']' returned non-zero exit status 128

What's the problem (or question)?

We are trying to to a hit a box for Web App Attack through nosqlmap but it gives 401 error. Though we can access the same url from the browser and it works with a response

Do you have an idea for a solution?

No idea

How can we reproduce the issue?

| | |/ |/ _ | | | / | _ _ __
| . / _ \__ \ (_) | |__| |\/| / _ | '
||__//___|| |_,| .__/
v0.7 [email protected] |_|
1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option: 3

Web App Attacks (GET)
===============
Checking to see if site at qa.orrc.com:443/v1/entity/info/5d2f10c252faff0001b865ef is up...
https://qa.orrc.com:443/v1/entity/info/5d2f10c252faff0001b865ef
HTTP Error 401:
Looks like the server didn't respond.  Check your options.
Press enter to continue...

What are the running context details?

• Installation method (e.g. pip, apt-get, git clone or zip/tar.gz): zip
• Client OS (e.g. Microsoft Windows 10) Windows 10
• Program version (python sqlmap.py --version or sqlmap --version depending on installation): 0.7
• Target DBMS (e.g. Mongo): Mongo
• Detected WAF/IDS/IPS protection (e.g. ModSecurity or unknown):
• Results of manual target assessment
• Relevant console output (if any):
• Exception traceback (if any):

What's the problem (or question)?

When using nosqlmap in interactive mode, the web attack will fail when using HTTP POST method due to the postParameter variable not being defined.

Do you have an idea for a solution?

To solve the issue, replace line 340 in nosqlmap.py from this:

build_post_data(postDataIn)

To this:

postData = build_post_data(postDataIn)

How can we reproduce the issue?

1. Run nosqlmap
2. Select option 1 to set options
3. Populate all needed options for Web attacks
4. Set option 6 to post and enter the post patameters
5. Go back to main menu
6. Select option 3 for web attacks

At this point the app will fail with message:
NameError: global name 'postData' is not defined

What are the running context details?

Kali linux running stand alone cloned from github.

Please consider to do frequent git tags on github so distros can properly pick up nosqlmap into distro reprositories. The last release is years old, thanks for considering.

Hello there!
Thank you for working on this project! Python 2 reached end of life at the end of 2019. So NoSQLMap should really migrate to python 3.

Best regards, ellcs

What's the problem (or question)?

Headers are not loaded when getting the options from a saved file.

Do you have an idea for a solution?

It's just a minor change to do, i already coded it. i just need a bug fix ID to do the pull request

If it is possible, could the following settings be put into an command line arguments so it doesn't need to be interactive in order to use the program:

1-Set target host/IP (Current: 10.11.1.xxx)
2-Set web app port (Current: 443)
3-Set App Path (Current: /app)
4-Toggle HTTPS (Current: ON)
5-Set MongoDB Port (Current : 27017)
6-Set HTTP Request Method (GET/POST) (Current: GET)
7-Set my local MongoDB/Shell IP (Current: Not Set)
8-Set shell listener port (Current: Not Set)
9-Toggle Verbose Mode: (Current: ON)

e.g.

python nosqlmap.py --url 10.11.1.xxx --port 443 --path "/path/db"

if you attack a web app and hit enter to soon instead of entering a random string size the application crashes because "injectSize" cannot be cast to int. maybe you could set a default size if nothing is entered to prevent the app from crashing.

433 injectSize = raw_input("Baseline test-Enter random string size: ")
434 injectString = randInjString(int(injectSize))
435 print "Using " + injectString + " for injection testing.\n"

Keep up the good work.
Cheers

Hi, when running a test against a node app the first part is working fine but when I try to run timing based test it crashes... please see the run below:

Checking to see if site at 127.0.0.1:49090/ is up...
App is up!
List of parameters:
1-user
2-pass
Which parameter should we inject? 1
Injecting the user parameter...
Baseline test-Enter random string size: 6
What format should the random string take?
1-Alphanumeric
2-Letters only
3-Numbers only
4-Email address
Select an option: 1
Using 8uiMZd for injection testing.

Sending random parameter value...
Got response length of 78.
No change in response size injecting a random parameter..

Test 1: PHP/ExpressJS != associative array injection
Injection failed.


Test 2:  PHP/ExpressJS > Undefined Injection
Injection failed.
Test 3: $where injection (string escape)
Possible injection.


Test 4: $where injection (integer escape)
Possible injection.


Test 5: $where injection string escape (single record)
Possible injection.


Test 6: $where injection integer escape (single record)
Possible injection.


Test 7: This != injection (string escape)
Possible injection.


Test 8:  This != injection (integer escape)
Possible injection.


Start timing based tests (y/n)? y
Starting Javascript string escape time based injection...
Traceback (most recent call last):
  File "nosqlmap.py", line 469, in <module>
    main()
  File "nosqlmap.py", line 51, in main
    mainMenu()
  File "nosqlmap.py", line 112, in mainMenu
    nsmweb.postApps(victim,webPort,uri,https,verb,postData,requestHeaders)
  File "/Users/odinn/InfoSec/NoSQLMap/nsmweb.py", line 635, in postApps
    conn = urllib2.urlopen(req,body)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1227, in http_open
    return self.do_open(httplib.HTTPConnection, req)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1200, in do_open
    r = h.getresponse(buffering=True)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/httplib.py", line 1132, in getresponse
    response.begin()
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/httplib.py", line 453, in begin
    version, status, reason = self._read_status()
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/httplib.py", line 417, in _read_status
    raise BadStatusLine(line)
httplib.BadStatusLine: ''
NoSQLMap➜  NoSQLMap git:(stable) ✗

Just in case you will need it as well i set it up to run on 127.0.0.1 with port 49090 (this is the port that the docker exposes) and path "/" (the index is the page) and with 2 post params and ran the attack on the first one.

Thanks.

Hi there, I received the following error when trying to attack a web application with a POST request. Could you please let me know if this is a bug or if I did something wrong? I couldn't find much info about the POST based attacks specifically so I might have done it incorrectly.

Injecting {'CompanyName[$gt]': '', 'CompanyName': "a'; return db.a.find(); var dummy='!"} Response varied 17660 bytes from random parameter value! Injection works! Traceback (most recent call last): File "nosqlmap.py", line 462, in <module> main() File "nosqlmap.py", line 51, in main mainMenu() File "nosqlmap.py", line 112, in mainMenu nsmweb.postApps(victim,webPort,uri,https,verb,postData,requestHeaders) File "/root/Downloads/NoSQLMap-stable/nsmweb.py", line 520, in postApps checkResult(randLength,injLen,testNum,verb) File "/root/Downloads/NoSQLMap-stable/nsmweb.py", line 780, in checkResult vulnAddrs.append(str(postData)) NameError: global name 'postData' is not defined

to run web application, Json support required. please add Jason

Exceptions are currently somewhat generic, creating a base exceptions class is needed as a first step to making a standard module/class structure for various DBMS systems

i want to learn hacking

Can anybody give a demo of CouchDB Attacks?

I am fairly new to this script and therefore bear with my lack of expertise here. I am trying to run this against our internal system to see how vulnerable are we before we do pen-testing from professional guys.
DB is couchdb and had selected the Enumerate Databases/Users/Passwords under "select an Attack"
Options were all correctly set:
Platform is : CouchDB
DNS/IP address was set: < cannot share>
couchDB port is default( 5984)
couchDB IP was set : < cannot share>

But for above mentioned option, I do get the tables but not the other information. nosqlmap crashed with the following error:

traceback (most recent call last):
File "/usr/local/bin/nosqlmap.py", line 4, in
import('pkg_resources').run_script('NoSQLMap==0.7', 'nosqlmap.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 666, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 1469, in run_script
exec(script_code, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 543, in

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 46, in main

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 88, in mainMenu

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nsmcouch.py", line 135, in netAttacks

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nsmcouch.py", line 189, in enumDbs

KeyError: 'total_rows'

I am using python 2.x .

here is what i tried. Downloaded the MeanBug application (https://github.com/dbohannon/MEANBug) to try out NoSQLMap.

Configured as below and the tool crashed while running an injection run on one of the POST parameters

 _ _ ___ ___ _ __ __           
| | |/ |/ _ | | | / | _ _ __ 
| . / _ \__ \ (_) | |__| |\/| / _ | '
||__//___|| |_,| .__/
v0.7 [email protected]      |_|   

1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option: 3
Web App Attacks (POST)

Checking to see if site at localhost:9000/login is up...
App is up! Got response length of 993 and response time of 0.0 seconds. Starting injection test.

List of parameters:
1-user
2-pass
Which parameter should we inject? 2
Injecting the pass parameter...
Baseline test-Enter random string size: 3
What format should the random string take?
1-Alphanumeric
2-Letters only
3-Numbers only
4-Email address
Select an option: 1
Using OxQ for injection testing.

Checking random injected parameter HTTP response size sending {'user': 'admin', 'pass': 'OxQ'}...

Got response length of 993.
No change in response size injecting a random parameter..

Testing Mongo PHP not equals associative array injection using {'pass[$ne]': 'OxQ', 'user': 'admin'}...
Random string response size and not equals injection were the same. Injection did not work.

Testing PHP/ExpressJS >Undefined Injection using {'pass[$gt]': '', 'user': 'admin'}...
Random string response size and not equals injection were the same. Injection did not work.
Testing Mongo <2.4 $where all Javascript string escape attack for all records...

Injecting {'pass[$gt]': '', 'user': 'admin', 'pass': "a'; return db.a.find(); var dummy='!"}
Traceback (most recent call last):
File "/usr/local/bin/nosqlmap.py", line 4, in
import('pkg_resources').run_script('NoSQLMap==0.7', 'nosqlmap.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 742, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 1510, in run_script
exec(script_code, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 457, in

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 41, in main

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 97, in mainMenu

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nsmweb.py", line 529, in postApps

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nsmweb.py", line 358, in getResponseBodyHandlingErrors

File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 429, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 447, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1228, in http_open
return self.do_open(httplib.HTTPConnection, req)
File "/usr/lib/python2.7/urllib2.py", line 1201, in do_open
r = h.getresponse(buffering=True)
File "/usr/lib/python2.7/httplib.py", line 1121, in getresponse
response.begin()
File "/usr/lib/python2.7/httplib.py", line 438, in begin
version, status, reason = self._read_status()
File "/usr/lib/python2.7/httplib.py", line 402, in _read_status
raise BadStatusLine(line)
httplib.BadStatusLine: ''
root@kali:~/NoSQLMap#

the ip list file contains about 16000+ ip, and I've upload the list so you can try it youself https://mega.co.nz/#!9g8UFJRJ!nJbw-Zz6SmTpS26RTrod8MlYcoaEc4sNxJYYiFmV3WI
Thanks

Using NoSQLMap on OWASP juice-shop's vulnerable endpoint doesn't cause the detection of bug.
The vulnerability can be easily detected by submitting payload - ' || true ||' manually.
OWASPJuice-shop uses MongoDB as nosql db.
You can try to reproduce this by :

1. Registering a user at juice-shop.herokuapp.com
2. Submitting multiple orders
3. Detect the vulnerability by submitting above payload in tracking orders functionality.

API Endpoint : http://juice-shop.herokuapp.com/rest/track-order/{injection}

Would love to add this detection capability, Not aware if NoSQLMap already handles this context.
You can checkout the vulnerable code and its context here

when I try It says:

Sending random parameter value...
Got response length of 63.
Random value variance: 119071

Test 1: PHP/ExpressJS != associative array injection
Injection failed.


Test 2: $where injection (string escape)
Traceback (most recent call last):
  File "./nosqlmap.py", line 469, in <module>
    main()
  File "./nosqlmap.py", line 51, in main
    mainMenu()
  File "./nosqlmap.py", line 109, in mainMenu
    nsmweb.getApps(webPort,victim,uri,https,verb,requestHeaders)
  File "/home/pws019/Desktop/software/NoSQLMap/nsmweb.py", line 146, in getApps
    errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
  File "/usr/local/python3/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/local/python3/lib/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/usr/local/python3/lib/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/usr/local/python3/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/local/python3/lib/python2.7/urllib2.py", line 1228, in http_open
    return self.do_open(httplib.HTTPConnection, req)
  File "/usr/local/python3/lib/python2.7/urllib2.py", line 1201, in do_open
    r = h.getresponse(buffering=True)
  File "/usr/local/python3/lib/python2.7/httplib.py", line 1121, in getresponse
    response.begin()
  File "/usr/local/python3/lib/python2.7/httplib.py", line 438, in begin
    version, status, reason = self._read_status()
  File "/usr/local/python3/lib/python2.7/httplib.py", line 402, in _read_status
    raise BadStatusLine(line)
httplib.BadStatusLine: ''

Is there an automatic way to uninstall it?

Hello;
I Set Options Using Burp request and when i wanna using web app attack(mongo and node.js web app) I encounter an error

....
List of parameters:
1-password
2-email
Which parameter should we inject? 1
Injecting the password parameter...
Baseline test-Enter random string size: 10
What format should the random string take?
1-Alphanumeric
2-Letters only
3-Numbers only
4-Email address
Select an option: 1
Traceback (most recent call last):
File "/usr/local/bin/nosqlmap.py", line 4, in
import('pkg_resources').run_script('NoSQLMap==0.7', 'nosqlmap.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 664, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 1451, in run_script
exec(script_code, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 534, in

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 46, in main

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 102, in mainMenu

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nsmweb.py", line 486, in postApps

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.7-py2.7.egg/EGG-INFO/scripts/nsmweb.py", line 885, in build_random_string

TypeError: range() integer end argument expected, got str.

If a call returns an error status code (e.g. 422, which is a valid response in my app as it tells the browser that the call didn't succeed and to show an error to the user), the program crashes. The stack trace looks like this:

Sending random parameter value...
Traceback (most recent call last):
File "/usr/local/bin/NoSQLMap", line 9, in
load_entry_point('NoSQLMap==0.5', 'console_scripts', 'NoSQLMap')()
File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.5-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 60, in main

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.5-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 115, in mainMenu

File "/usr/local/lib/python2.7/dist-packages/NoSQLMap-0.5-py2.7.egg/EGG-INFO/scripts/nosqlmap.py", line 534, in postApps

File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
return _opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 410, in open
response = meth(req, response)
File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib/python2.7/urllib2.py", line 448, in error
return self._call_chain(_args)
File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
result = func(_args)
File "/usr/lib/python2.7/urllib2.py", line 531, in http_error_default
raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
urllib2.HTTPError: HTTP Error 422: Unprocessable Entity

https://192.168.2.100/cgi-bin/mongo/2.2.3/dbparse.py my url
Normal Post Data
CompanyName=aa
NoSQLMap POST Parametre
CompanyName,aa

I get the following error. What am I doing wrong.

Trying to run an attack through options 2 and 3 then receiving:

Checking to see if credentials are needed...
Couldn't connect to Mongo server.

When this is recieved and you try to adjust the settings within option 1 the following error occurs:

Traceback (most recent call last):
File "./nosqlmap.py", line 1752, in
main()
File "./nosqlmap.py", line 60, in main
mainMenu()
File "./nosqlmap.py", line 93, in mainMenu
options()
File "./nosqlmap.py", line 199, in options
while optSelect:
UnboundLocalError: local variable 'optSelect' referenced before assignment

What's the problem (or question)?

Get an error while opening the options file from nosqlmap

Do you have an idea for a solution?

How can we reproduce the issue?

C:\NoSQLMap-master>python nosqlmap.py
'clear' is not recognized as an internal or external command,
operable program or batch file.

| | |/ |/ _ | | | / | _ _ __
| . / _ \__ \ (_) | |__| |\/| / _ | '
||__//___|| |_,| .__/
v0.7 [email protected] |_|

1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option: 1

Options
1-Set target host/IP (Current: Not Set)
2-Set web app port (Current: 80)
3-Set App Path (Current: Not Set)
4-Toggle HTTPS (Current: OFF)
5-Set MongoDB Port (Current : 27017)
6-Set HTTP Request Method (GET/POST) (Current: GET)
7-Set my local MongoDB/Shell IP (Current: Not Set)
8-Set shell listener port (Current: Not Set)
9-Toggle Verbose Mode: (Current: OFF)
0-Load options file
a-Load options from saved Burp request
b-Save options file
h-Set headers
x-Back to main menu

Select an option: 0
Enter file name to load: c:\burp

Traceback (most recent call last):
File "nosqlmap.py", line 544, in
main(args)
File "nosqlmap.py", line 47, in main
mainMenu()
File "nosqlmap.py", line 81, in mainMenu
options()
File "nosqlmap.py", line 419, in options
optList = csvOpt[0].split(",")
NameError: global name 'csvOpt' is not defined

What are the running context details?

• Installation method (e.g. pip, apt-get, git clone or zip/tar.gz): zip
• Client OS (e.g. Microsoft Windows 10) Windows 10
• Program version (python sqlmap.py --version or sqlmap --version depending on installation): 0.7
• Target DBMS (e.g. Mongo): Mongo
• Detected WAF/IDS/IPS protection (e.g. ModSecurity or unknown):
• Results of manual target assessment
• Relevant console output (if any):
• Exception traceback (if any):

Using commit 898a60b.

NoSQLMap is reporting the target does not response correctly, when in fact it is (See cURL at the end).

Edit:
Another issue - when it cannot find the target, re-running will cause a crash. (see first comment)

root@kali:~/NoSQLMap-0.5# cat test 
xx.xx.xx.xxx,443,/cgi-bin/mongo/2.2.3/dbparse.py,GET,Not Set,Not Set,ON,ON,
{}root@kali:~/NoSQLMap-0.5# python nosqlmap.py 
�[3;J
====================================================
 _   _       _____  _____ _     ___  ___            
| \ | |     /  ___||  _  | |    |  \/  |            
|  \| | ___ \ `--. | | | | |    | .  . | __ _ _ __  
| . ` |/ _ \ `--. \| | | | |    | |\/| |/ _` | '_ \ 
| |\  | (_) /\__/ /\ \/' / |____| |  | | (_| | |_) |
\_| \_/\___/\____/  \_/\_\_____/\_|  |_/\__,_| .__/
====================================================
NoSQLMap-v0.5
[email protected]


1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option: 1



Options
1-Set target host/IP (Current: Not Set)
2-Set web app port (Current: 80)
3-Set App Path (Current: Not Set)
4-Toggle HTTPS (Current: OFF)
5-Set MongoDB Port (Current : 27017)
6-Set HTTP Request Method (GET/POST) (Current: GET)
7-Set my local MongoDB/Shell IP (Current: Not Set)
8-Set shell listener port (Current: Not Set)
9-Toggle Verbose Mode: (Current: OFF)
0-Load options file
a-Load options from saved Burp request
b-Save options file
x-Back to main menu
Select an option: 0
Enter file name to load: test



Options
1-Set target host/IP (Current: xx.xx.xx.xxx)
2-Set web app port (Current: 443)
3-Set App Path (Current: /cgi-bin/mongo/2.2.3/dbparse.py)
4-Toggle HTTPS (Current: ON)
5-Set MongoDB Port (Current : 27017)
6-Set HTTP Request Method (GET/POST) (Current: GET)
7-Set my local MongoDB/Shell IP (Current: Not Set)
8-Set shell listener port (Current: Not Set)
9-Toggle Verbose Mode: (Current: ON)
0-Load options file
a-Load options from saved Burp request
b-Save options file
x-Back to main menu
Select an option: x
�[3;J
====================================================
 _   _       _____  _____ _     ___  ___            
| \ | |     /  ___||  _  | |    |  \/  |            
|  \| | ___ \ `--. | | | | |    | .  . | __ _ _ __  
| . ` |/ _ \ `--. \| | | | |    | |\/| |/ _` | '_ \ 
| |\  | (_) /\__/ /\ \/' / |____| |  | | (_| | |_) |
\_| \_/\___/\____/  \_/\_\_____/\_|  |_/\__,_| .__/
====================================================
NoSQLMap-v0.5
[email protected]


1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option: 3
Web App Attacks (GET)
===============
Checking to see if site at xx.xx.xx.xxx:443/cgi-bin/mongo/2.2.3/dbparse.py is up...
Looks like the server didn't respond.  Check your options.
Press enter to continue...
�[3;J


====================================================
 _   _       _____  _____ _     ___  ___            
| \ | |     /  ___||  _  | |    |  \/  |            
|  \| | ___ \ `--. | | | | |    | .  . | __ _ _ __  
| . ` |/ _ \ `--. \| | | | |    | |\/| |/ _` | '_ \ 
| |\  | (_) /\__/ /\ \/' / |____| |  | | (_| | |_) |
\_| \_/\___/\____/  \_/\_\_____/\_|  |_/\__,_| .__/
====================================================
NoSQLMap-v0.5
[email protected]


1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option: x
root@kali:~/NoSQLMap-0.5#
root@kali:~/NoSQLMap-0.5#
root@kali:~/NoSQLMap-0.5#
root@kali:~/NoSQLMap-0.5# curl -I -k https://xx.xx.xx.xxx/cgi-bin/mongo/2.2.3/dbparse.py
HTTP/1.1 200 OK
Date: Mon, 11 Jan 2016 06:17:12 GMT
Server: Apache/xx.xx.xx (xx)
Vary: Accept-Encoding
Content-Type: text/html

root@kali:~/NoSQLMap-0.5#

It looks like the way to send a header for e.g. a session ID, is by setting option 6 to specify GET or POST. This is counter-intuitive if you're just sending a bunch of GETs and leaving the default. I'd recommend either something in the docs or making headers a separate option.

 _  _     ___  ___  _    __  __           
| \| |___/ __|/ _ \| |  |  \/  |__ _ _ __ 
| .` / _ \__ \ (_) | |__| |\/| / _` | '_ \
|_|\_\___/___/\__\_\____|_|  |_\__,_| .__/
 v0.7 [email protected]        |_|   


1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option: 1



Options
1-Set target host/IP (Current: Not Set)
2-Set web app port (Current: 80)
3-Set App Path (Current: Not Set)
4-Toggle HTTPS (Current: OFF)
5-Set MongoDB Port (Current : 27017)
6-Set HTTP Request Method (GET/POST) (Current: GET)
7-Set my local MongoDB/Shell IP (Current: Not Set)
8-Set shell listener port (Current: Not Set)
9-Toggle Verbose Mode: (Current: OFF)
0-Load options file
a-Load options from saved Burp request
b-Save options file
h-Set headers
x-Back to main menu
Select an option: 1
Enter the host IP/DNS name: <REDACTED>

Traceback (most recent call last):
  File "nosqlmap.py", line 544, in <module>
    main(args)
  File "nosqlmap.py", line 47, in main
    mainMenu()
  File "nosqlmap.py", line 81, in mainMenu
    options()
  File "nosqlmap.py", line 279, in options
    if int(item) < 0 or int(item) > 255:
ValueError: invalid literal for int() with base 10: '<subdomain_of_redacted_hostname>'

Happens both on Debian 10 and with a docker image (via docker build).

Supplied hostname resolves fine but has probably not one A record but a CNAME record which has two A name records.

What's the problem (or question)?

After specifying all the options and finally selecting option 3 I got
1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option: 3
Web App Attacks (POST)

Checking to see if site at http://XXXXXXXXXXXXXXX:PORT/login is up...
<urlopen error [Errno -2] Name or service not known>
Looks like the server didn't respond. Check your options.
Press enter to continue...

Where address http://XXXXXXXXXXXXXXX:PORT/login is 100% accessible.

Do you have an idea for a solution?

https://stackoverflow.com/questions/21356781/urrlib2-urlopen-name-or-service-not-known-persists-when-starting-script-witho

Platform: kali linux.

Default Access Scanner fails with "Couldn't connect to " on a valid mongo connection.

From pymongo docs: "The MongoClient.disconnect() method is removed; it was a synonym for close()."

When dealing with things like JWT, we need to be able to set the Authorization header. There are probably other uses as well.

This is a copy of the issue #97. That ticked was closed because of no issue activity. I could not reopen it.

Hello there!
Thank you for working on this project! Python 2 reached end of life at the end of 2019. So NoSQLMap should really migrate to python 3.

Best regards, ellcs

As referred to in #31 colours would make identifying different menu segments easier, and output more legible.

The url nosqlmap.net it's redirecting to a china stream tv service

Today I tried to reach the website of the project with the url that appear on the description and now the url takes me to a "stream service" in china.

How can we reproduce the issue?

Just go to the projects url http://www.nosqlmap.net/

Do you guys forgot to update the domain name?
Are you going to buy another domain for this project?

Web app attacks never work.

1-Set options (do this first)
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Exit
Select an option:3
Checking to see if site at domain.com:80/search/path?f=loremipsum&q=keyword&searchchoice=loremipsum is up...
App is up! Got response length of 62320 and response time of 0.22 seconds.  Starting injection test.

Baseline test-Enter random string size: 3
What format should the random string take?
1-Alphanumeric
2-Letters only
3-Numbers only
4-Email address
Select an option: 2
Using pcd for injection testing.

List of parameters:
1-f
2-q
3-searchchoice
Which parameter should we inject? f
Something went wrong.  Press enter to return to the main menu...

There is no way to specify parts of the URL path itself for testing. For example:

https://www.site.com/users/frankie/edit
                              ^ injectable

In SQLMap for example this is possible by adding a * to the path to specify a custom insertion point.

Hi
Line 866 cause a TypeError being caught by the general "except"

print "Got " + appRespCode + "from the app, check your options
->
print "Got " + str(appRespCode) + "from the app, check your options

Same l.570 and maybe elsewhere

What's the problem (or question)?

The parameter value payload not properly encoded which is make the urllib got an 400 Bad Request

Do you have an idea for a solution?

Using urllib.quote(string) to encode the parameter value in function
file nsmweb.py -> def buildUri(origUri, randValue):
https://stackoverflow.com/questions/8840303/urllib2-http-error-400-bad-request

How can we reproduce the issue?

1. python nosqlmap.py
2. set options (1)
3. set target (1) => "prison-commissary.mysterious-hashes.net"
4. set App Path (3) => "/panda.php?id=1"
5. toggle verbose mode (9)
6. back to main menu (x)
7. NoSQL Web Attack (3)
8. random string size enter (1)
9. choose (3) Numberf only
10. choose (1) which is id