Issue with using a POST request attack about nosqlmap HOT 13 CLOSED

Is that in 0.7? It most likely is a bug. Let me check it out tonight.
On Jun 30, 2016 4:16 PM, "chopteeth" [email protected] wrote:

Hi there, I received the following error when trying to attack a web
application with a POST request. Could you please let me know if this is a
bug or if I did something wrong? I couldn't find much info about the POST
based attacks specifically so I might have done it incorrectly.

Injecting {'CompanyName[$gt]': '', 'CompanyName': "a'; return db.a.find();
var dummy='!"}
Response varied 17660 bytes from random parameter value! Injection works!
Traceback (most recent call last):
File "nosqlmap.py", line 462, in
main()
File "nosqlmap.py", line 51, in main
mainMenu()
File "nosqlmap.py", line 112, in mainMenu
nsmweb.postApps(victim,webPort,uri,https,verb,postData,requestHeaders)
File "/root/Downloads/NoSQLMap-stable/nsmweb.py", line 520, in postApps
checkResult(randLength,injLen,testNum,verb)
File "/root/Downloads/NoSQLMap-stable/nsmweb.py", line 780, in checkResult
vulnAddrs.append(str(postData))
NameError: global name 'postData' is not defined

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#43, or mute the thread
https://github.com/notifications/unsubscribe/ADG53l5SI4oIGmDIe-lPu2SUB9lzRpQYks5qRDFngaJpZM4JCmUB
.

from nosqlmap.

It is in 0.7, thanks for the quick response! Please let me know if you need any further info.

from nosqlmap.

I just realized that the web app is actually sending a python-based error message when I attempt the injection manually. This may be why I am having issues.

from nosqlmap.

That could be too, but it shouldn't blow up sending the postData variable.
I'm checking it out now.

On Thu, Jun 30, 2016 at 8:14 PM, chopteeth [email protected] wrote:

I just realized that the web app is actually sending a python-based error
message when I attempt the injection manually. This may be why I am having
issues.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#43 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ADG53u0-dXukZDHXhn25u9XGKfdfLo2Pks5qRGnsgaJpZM4JCmUB
.

from nosqlmap.

One other thing I didn't mention is that I wasn't able to run NoSQLMap from the /usr/bin location, I had to run it from the folder I downloaded it from (you can see the path in the error). Not sure if that might be affecting things either. Thanks again for your help!

from nosqlmap.

No you should be fine to run it from wherever. It's self contained. I
just pushed you a fix into stable. See if that gets things working for you.

On Thu, Jun 30, 2016 at 8:26 PM, chopteeth [email protected] wrote:

One other thing I didn't mention is that I wasn't able to run NoSQLMap
from the /usr/bin location, I had to run it from the folder I downloaded it
from (you can see the path in the error). Not sure if that might be
affecting things either. Thanks again for your help!

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#43 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ADG53t-9AJ5eRhTtuff4rHQHabCTjemyks5qRGzggaJpZM4JCmUB
.

from nosqlmap.

I tried running nosqlmap and got this error:
Traceback (most recent call last): File "nosqlmap.py", line 21, in <module> import nsmweb File "/root/Downloads/NoSQLMap-stable_2/nsmweb.py", line 753 def checkResult(baseSize,respSize,testNum,verb,postData): SyntaxError: name 'postData' is local and global

from nosqlmap.

Sorry about that. Late night typo. Try it now.

On Thu, Jun 30, 2016 at 10:04 PM, chopteeth [email protected]
wrote:

I tried running nosqlmap and got this error:
Traceback (most recent call last):
File "nosqlmap.py", line 21, in
import nsmweb
File "/root/Downloads/NoSQLMap-stable_2/nsmweb.py", line 753
def checkResult(baseSize,respSize,testNum,verb,postData):
SyntaxError: name 'postData' is local and global

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#43 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ADG53qE1Xiby3NYrjRfZjkAwLutcwmyKks5qRIPFgaJpZM4JCmUB
.

from nosqlmap.

It works! Thank you so much! There is one other slight bug, mostly cosmetic. Once it's done and I try to save the results, I get an error no matter what option I pick. Let me know if you'd like me to make a new issue or anything. Thanks again!

from nosqlmap.

Post up the error you are getting and I'll have a look over the weekend.
With the 0.7 release, I revamped a lot of the web app testing code and did
some basic QA of the injection techniques but didn't give it a thorough
look through.

On Fri, Jul 1, 2016 at 9:46 PM, chopteeth [email protected] wrote:

It works! Thank you so much! There is one other slight bug, mostly
cosmetic. Once it's done and I try to save the results, I get an error no
matter what option I pick. Let me know if you'd like me to make a new issue
or anything. Thanks again!

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#43 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ADG53stw2IIA4ifH1Gr8loReFl-P0Herks5qRdD_gaJpZM4JCmUB
.

from nosqlmap.

I sent you an email but thought I would try posting here also. I can see that your tool is able to make POST requests using the JSON format query, but I can't repeat the same steps myself. When I interact with the application normally (proxying through burp suite), it only accepts requests as x-www-form-urlencoded. When I try to manually change it to json, I get an exception thrown at me. Trying to inject using x-www-form isn't working, as I get an error every time I use a single quote. Any advice you could offer me would be greatly appreciated, and thanks again.

from nosqlmap.

Nevermind I figured it out by forwarding nosqlmap through proxychains and burp suite. Still getting an error whenever I send a single quote but that's no NoSQLMap's fault. If you have any thoughts on why the single quote is killing this web app I'd love to hear it!

from nosqlmap.

I believe it still does not work.
Please replace
build_post_data(postDataIn)
with
postData = build_post_data(postDataIn)

from nosqlmap.