-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NoSQLi hangs on boolean based scan on POST request #10
Comments
Could you try running nosqli through a proxy? It would help to see the request that is hanging, or if it seems to go into some kind of loop for some reason. |
Unfortunately, I cant. Mentioned issue is fixed by dev - cant test it now. If something similar happens i'll try with proxy and write needed info here. |
I had similar scenario again and i tried using local proxy. But when i try to use nosqli with proxy I cant make it work. I've tried different scenarios:
Not sure what do i need to do to make it work... help appreciated |
Thank you for looking into it more carefully! The program uses HTTP proxies, so it's looking for a URL (this is probably something I can make less error prone based on your usage here). Here's what I do when using burp:
|
Thank you for your help! Problem was in protocol - |
@Charlie-belmer Issue reproduced: This time i leaved nosqli to work over weekend and when i came back i got error in console:
When checking sent requests we can see that last request sent by nosqli was not properly finished: I've send the same request today and response was received correctly. |
I've tried nosqli on several different routes where i found injection manually to get familiar with the tool.
I have a target with vulnerable params in request body. When i start nosqli against it - it hangs on boolean based scan .
I've tried using a file (request copied from Burp) and also run command with url and body params: result is same for both cases, so there should be no syntax problems .
Unfortunately, i cant share info about vulnerable app so you can try debug on your side but maybe u can help me with debugging: is there some kind of verbose mode so i can check details?
Also to add - I don't have the same problem on the same target for few other requests where noSQL injection exist - but for every of them GET method is used.
The text was updated successfully, but these errors were encountered: