Comments (13)
Is that in 0.7? It most likely is a bug. Let me check it out tonight.
On Jun 30, 2016 4:16 PM, "chopteeth" [email protected] wrote:
Hi there, I received the following error when trying to attack a web
application with a POST request. Could you please let me know if this is a
bug or if I did something wrong? I couldn't find much info about the POST
based attacks specifically so I might have done it incorrectly.Injecting {'CompanyName[$gt]': '', 'CompanyName': "a'; return db.a.find();
var dummy='!"}
Response varied 17660 bytes from random parameter value! Injection works!
Traceback (most recent call last):
File "nosqlmap.py", line 462, in
main()
File "nosqlmap.py", line 51, in main
mainMenu()
File "nosqlmap.py", line 112, in mainMenu
nsmweb.postApps(victim,webPort,uri,https,verb,postData,requestHeaders)
File "/root/Downloads/NoSQLMap-stable/nsmweb.py", line 520, in postApps
checkResult(randLength,injLen,testNum,verb)
File "/root/Downloads/NoSQLMap-stable/nsmweb.py", line 780, in checkResult
vulnAddrs.append(str(postData))
NameError: global name 'postData' is not defined—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#43, or mute the thread
https://github.com/notifications/unsubscribe/ADG53l5SI4oIGmDIe-lPu2SUB9lzRpQYks5qRDFngaJpZM4JCmUB
.
from nosqlmap.
It is in 0.7, thanks for the quick response! Please let me know if you need any further info.
from nosqlmap.
I just realized that the web app is actually sending a python-based error message when I attempt the injection manually. This may be why I am having issues.
from nosqlmap.
That could be too, but it shouldn't blow up sending the postData variable.
I'm checking it out now.
On Thu, Jun 30, 2016 at 8:14 PM, chopteeth [email protected] wrote:
I just realized that the web app is actually sending a python-based error
message when I attempt the injection manually. This may be why I am having
issues.—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#43 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ADG53u0-dXukZDHXhn25u9XGKfdfLo2Pks5qRGnsgaJpZM4JCmUB
.
from nosqlmap.
One other thing I didn't mention is that I wasn't able to run NoSQLMap from the /usr/bin location, I had to run it from the folder I downloaded it from (you can see the path in the error). Not sure if that might be affecting things either. Thanks again for your help!
from nosqlmap.
No you should be fine to run it from wherever. It's self contained. I
just pushed you a fix into stable. See if that gets things working for you.
On Thu, Jun 30, 2016 at 8:26 PM, chopteeth [email protected] wrote:
One other thing I didn't mention is that I wasn't able to run NoSQLMap
from the /usr/bin location, I had to run it from the folder I downloaded it
from (you can see the path in the error). Not sure if that might be
affecting things either. Thanks again for your help!—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#43 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ADG53t-9AJ5eRhTtuff4rHQHabCTjemyks5qRGzggaJpZM4JCmUB
.
from nosqlmap.
I tried running nosqlmap and got this error:
Traceback (most recent call last): File "nosqlmap.py", line 21, in <module> import nsmweb File "/root/Downloads/NoSQLMap-stable_2/nsmweb.py", line 753 def checkResult(baseSize,respSize,testNum,verb,postData): SyntaxError: name 'postData' is local and global
from nosqlmap.
Sorry about that. Late night typo. Try it now.
On Thu, Jun 30, 2016 at 10:04 PM, chopteeth [email protected]
wrote:
I tried running nosqlmap and got this error:
Traceback (most recent call last):
File "nosqlmap.py", line 21, in
import nsmweb
File "/root/Downloads/NoSQLMap-stable_2/nsmweb.py", line 753
def checkResult(baseSize,respSize,testNum,verb,postData):
SyntaxError: name 'postData' is local and global—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#43 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ADG53qE1Xiby3NYrjRfZjkAwLutcwmyKks5qRIPFgaJpZM4JCmUB
.
from nosqlmap.
It works! Thank you so much! There is one other slight bug, mostly cosmetic. Once it's done and I try to save the results, I get an error no matter what option I pick. Let me know if you'd like me to make a new issue or anything. Thanks again!
from nosqlmap.
Post up the error you are getting and I'll have a look over the weekend.
With the 0.7 release, I revamped a lot of the web app testing code and did
some basic QA of the injection techniques but didn't give it a thorough
look through.
On Fri, Jul 1, 2016 at 9:46 PM, chopteeth [email protected] wrote:
It works! Thank you so much! There is one other slight bug, mostly
cosmetic. Once it's done and I try to save the results, I get an error no
matter what option I pick. Let me know if you'd like me to make a new issue
or anything. Thanks again!—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#43 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ADG53stw2IIA4ifH1Gr8loReFl-P0Herks5qRdD_gaJpZM4JCmUB
.
from nosqlmap.
I sent you an email but thought I would try posting here also. I can see that your tool is able to make POST requests using the JSON format query, but I can't repeat the same steps myself. When I interact with the application normally (proxying through burp suite), it only accepts requests as x-www-form-urlencoded. When I try to manually change it to json, I get an exception thrown at me. Trying to inject using x-www-form isn't working, as I get an error every time I use a single quote. Any advice you could offer me would be greatly appreciated, and thanks again.
from nosqlmap.
Nevermind I figured it out by forwarding nosqlmap through proxychains and burp suite. Still getting an error whenever I send a single quote but that's no NoSQLMap's fault. If you have any thoughts on why the single quote is killing this web app I'd love to hear it!
from nosqlmap.
I believe it still does not work.
Please replace
build_post_data(postDataIn)
with
postData = build_post_data(postDataIn)
from nosqlmap.
Related Issues (20)
- Installation hangs on "Reading https://pypi.org/simple/requests/" HOT 3
- Change shebang to `#!/usr/bin/env python2` HOT 2
- What is NoSql and what is an application of NoSql in the business world?
- What is NoSql
- [HELP] how to set POST parameter HOT 1
- Error running with Docker & Docker Compose HOT 1
- ─[root@rohan-nitroan51554]─[~/Desktop/nosql/NoSQLMap] └──╼ #python NoSQLMap python: can't open file '/root/Desktop/nosql/NoSQLMap/NoSQLMap': [Errno 2] No such file or directory HOT 1
- Error when executing NoSQL DB Access Attacks HOT 1
- import error HOT 4
- Traceback (most recent call last): File "/usr/local/bin/NoSQLMap", line 11, in <module> load_entry_point('NoSQLMap==0.7', 'console_scripts', 'NoSQLMap')() TypeError: main() takes exactly 1 argument (0 given) HOT 1
- i get this error during installation Traceback (most recent call last): File "setup.py", line 1, in <module> from setuptools import find_packages, setup ImportError: No module named setuptools HOT 1
- Problem when i try to install in kali HOT 14
- FYI: Quick fix for DH_KEY_TOO_SMALL HOT 1
- NoSQL DB Access Attacks Error HOT 1
- install issues HOT 2
- Docker image build completes with errors but does not run due to these errors HOT 2
- . HOT 1
- DB access attack wasn't working HOT 1
- bug in your code HOT 5
- Should use stable Certifi version in order to build tool, since the tool is using Python 2.7.x HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nosqlmap.