hacktricks/pentesting/27017-27018-mongodb.md

88 lines
2.3 KiB
Markdown
Raw Normal View History

# 27017,27018 - Pentesting MongoDB
## Basic Information
MongoDB is an [open source](https://whatis.techtarget.com/definition/open-source) database management system \(DBMS\) that uses a document-oriented database model which supports various forms of data. \(From [here](https://searchdatamanagement.techtarget.com/definition/MongoDB)\)
**Default port:** 27017, 27018
```text
PORT STATE SERVICE VERSION
27017/tcp open mongodb MongoDB 2.6.9 2.6.9
```
## Enumeration
### Manual
```python
from pymongo import MongoClient
client = MongoClient(host, port, username=username, password=password)
client.server_info() #Basic info
#If you have admin access you can obtain more info
admin = client.admin
admin_info = admin.command("serverStatus")
cursor = client.list_databases()
for db in cursor:
print(db)
print(client[db["name"]].list_collection_names())
#If admin access, you could dump the database also
```
**Some MongoDB commnads:**
```bash
show dbs
use <db>
show collections
db.<collection>.find() #Dump the collection
db.<collection>.count() #Number of records of the collection
db.current.find({"username":"admin"}) #Find in current db the username admin
```
### Automatic
```bash
nmap -sV --script "mongo* and default" -p 27017 <IP> #By default all the nmap mongo enumerate scripts are used
```
### Shodan
* All mongodb: `"mongodb server information"`
* Search for full open mongodb servers: `"mongodb server information" -"partially enabled"`
* Only partially enable auth: `"mongodb server information" "partially enabled"`
## Login
By default mongo does not require password.
**Admin** is a common mongo database.
```bash
mongo <HOST>
mongo <HOST>:<PORT>
mongo <HOST>:<PORT>/<DB>
mongo <database> -u <username> -p '<password>'
```
The nmap script: _**mongodb-brute**_ will check if creds are needed.
```bash
nmap -n -sV --script mongodb-brute -p 27017 <ip>
```
### [**Brute force**](../brute-force.md#mongo)\*\*\*\*
Look inside _/opt/bitnami/mongodb/mongodb.conf_ to know if credentials are needed:
```bash
grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed
```
## Post
If you are root you can **modify** the **mongodb.conf** file so no credentials are needed \(_noauth = true_\) and **login without credentials**.