Skip to content
/ F14 Public

F-14 Tomcat: An advanced, high-speed NoSQL injection framework. Features WAF evasion (JA3/TLS impersonation), binary search extraction, and auto-authentication.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

G0odKid/F14

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
core
core
 
 
modules
modules
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
tomcat.py
tomcat.py
 
 
user-agents.txt
user-agents.txt
 
 

Repository files navigation

F-14 TOMCAT

Dev License Python Status Version

Advanced NoSQL Injection Framework

F-14 Tomcat is a modern, modular, and fast tool designed for exploiting NoSQL injection vulnerabilities. While currently focused on MongoDB, it provides advanced techniques to bypass WAFs and extract data efficiently using binary search algorithms.

Features

  • Advanced Extraction: Uses Binary Search algorithm for high-speed data extraction (Blind Injection).

  • WAF Evasion: Supports JA3/TLS Fingerprint impersonation (Chrome/Firefox/Safari) to bypass modern WAFs like Cloudflare.

  • Smart Stability: Auto-calibration for network jitter and dynamic content filtering to prevent false positives.

  • Auto-Authentication: Automatically detects session expiration (401/403) and re-authenticates to maintain the session.

  • Multi-Technique:

    • Auth Bypass (Technique A)

    • Blind Injection (Technique B)

    • JS Injection (Technique J)

  • Flexible Input: Supports JSON, Form-Data, and GET parameters.

  • Payload Tuning: Customizable prefix/suffix injection for complex syntax requirements.

Installation

** 1.Clone the repository**

git clone https://github.com/G0odkid/F14
cd F14

** 2.Install dependencies**

pip install -r requirements.txt

(Note: Ensure you have python 3.x installed.)

Usage Examples

  1. Basic Scan (Auth Bypass Check) Check if the login page is vulnerable to basic NoSQL injection:
python3 tomcat.py -u [http://target.com/login](http://target.com/login) -d '{"username": "admin", "password": "123"}' --technique A
  1. Data Extraction (Blind Injection) Extract the administrator's password using binary search:
python3 tomcat.py -u [http://target.com/login](http://target.com/login) -d '{"username": "admin", "password": "*"}' --technique B --param "password"
  1. WAF Bypass Mode Impersonate a Chrome browser to bypass WAF protections:
python3 tomcat.py -r request.txt --impersonate chrome120 --technique B
  1. High Stability Mode Set custom timeouts and retries for unstable networks:
python3 tomcat.py -u [http://target.com/api](http://target.com/api) -d '{"id": 1}' --timeout 15 --retries 5

Roadmap (Upcoming Features)

  • Support for other NoSQL databases (Redis, CouchDB, Cassandra).

  • Out-of-Band (OOB) extraction via DNS/HTTP.

  • HTML/JSON Report generation.

  • Header Injection support.

Reporting Bugs & Issues

Have a question, found a bug, or want to suggest a new feature?
Please open an issue in the Issues tab — contributions and feedback are always welcome

About

F-14 Tomcat: An advanced, high-speed NoSQL injection framework. Features WAF evasion (JA3/TLS impersonation), binary search extraction, and auto-authentication.

Topics

automation mongodb python3 infosec bugbounty hacking-tool nosql-injection red-teaming security-tool tls-fingerprint waf-bypass blind-injection curl-cffi waf-evasion

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages