# 27017,27018 - Pentesting MongoDB
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
.png)
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
**Hacking Insights**\
ν΄νΉμ μ€λ¦΄κ³Ό λμ μ λν΄ κΉμ΄ μλ μ½ν
μΈ μ μ°Έμ¬νμΈμ.
**Real-Time Hack News**\
μ€μκ° λ΄μ€μ ν΅μ°°λ ₯μ ν΅ν΄ λΉ λ₯΄κ² λ³ννλ ν΄νΉ μΈκ³μ μ΅μ μ 보λ₯Ό μ μ§νμΈμ.
**Latest Announcements**\
μλ‘μ΄ λ²κ·Έ λ°μ΄ν°μ μ€μν νλ«νΌ μ
λ°μ΄νΈμ λν μ 보λ₯Ό μ μ§νμΈμ.
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
## Basic Information
**MongoDB**λ λ€μν ννμ λ°μ΄ν°λ₯Ό μ²λ¦¬νκΈ° μν΄ **λ¬Έμ μ§ν₯ λ°μ΄ν°λ² μ΄μ€ λͺ¨λΈ**μ μ¬μ©νλ **μ€ν μμ€** λ°μ΄ν°λ² μ΄μ€ κ΄λ¦¬ μμ€ν
μ
λλ€. λΉμ ν λλ λ°μ ν λ°μ΄ν°λ₯Ό κ΄λ¦¬νκΈ° μν μ μ°μ±κ³Ό νμ₯μ±μ μ 곡νλ©°, λΉ
λ°μ΄ν° λΆμ λ° μ½ν
μΈ κ΄λ¦¬μ κ°μ μ ν리μΌμ΄μ
μμ μ¬μ©λ©λλ€. **κΈ°λ³Έ ν¬νΈ:** 27017, 27018
```
PORT STATE SERVICE VERSION
27017/tcp open mongodb MongoDB 2.6.9 2.6.9
```
## Enumeration
### μλ
```python
from pymongo import MongoClient
client = MongoClient(host, port, username=username, password=password)
client.server_info() #Basic info
#If you have admin access you can obtain more info
admin = client.admin
admin_info = admin.command("serverStatus")
cursor = client.list_databases()
for db in cursor:
print(db)
print(client[db["name"]].list_collection_names())
#If admin access, you could dump the database also
```
**μΌλΆ MongoDB λͺ
λ Ήμ΄:**
```bash
show dbs
use
show collections
db..find() #Dump the collection
db..count() #Number of records of the collection
db.current.find({"username":"admin"}) #Find in current db the username admin
```
### μλ
```bash
nmap -sV --script "mongo* and default" -p 27017 #By default all the nmap mongo enumerate scripts are used
```
### Shodan
* λͺ¨λ mongodb: `"mongodb server information"`
* μ 체 κ³΅κ° mongodb μλ² κ²μ: `"mongodb server information" -"partially enabled"`
* μΈμ¦μ΄ λΆλΆμ μΌλ‘λ§ νμ±νλ κ²½μ°: `"mongodb server information" "partially enabled"`
## λ‘κ·ΈμΈ
κΈ°λ³Έμ μΌλ‘ mongoλ λΉλ°λ²νΈλ₯Ό μꡬνμ§ μμ΅λλ€.\
**Admin**μ μΌλ°μ μΈ mongo λ°μ΄ν°λ² μ΄μ€μ
λλ€.
```bash
mongo
mongo :
mongo :/
mongo -u -p ''
```
The nmap script: _**mongodb-brute**_λ μ격 μ¦λͺ
μ΄ νμνμ§ νμΈν©λλ€.
```bash
nmap -n -sV --script mongodb-brute -p 27017
```
### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#mongo)
_μ격 μ¦λͺ
μ΄ νμνμ§ νμΈνλ €λ©΄ /opt/bitnami/mongodb/mongodb.conf_ νμΌμ νμΈνμΈμ:
```bash
grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed
```
## Mongo Objectid Predict
Example [from here](https://techkranti.com/idor-through-mongodb-object-ids-prediction/).
Mongo Object IDsλ **12λ°μ΄νΈ 16μ§μ** λ¬Έμμ΄μ
λλ€:
μλ₯Ό λ€μ΄, μ ν리μΌμ΄μ
μμ λ°νλ μ€μ Object IDλ₯Ό λΆν΄ν΄λ³΄λ©΄: 5f2459ac9fa6dc2500314019
1. 5f2459ac: 1596217772 (10μ§μ) = 2020λ
7μ 31μΌ κΈμμΌ 17:49:32
2. 9fa6dc: λ¨Έμ μλ³μ
3. 2500: νλ‘μΈμ€ ID
4. 314019: μ¦κ°νλ μΉ΄μ΄ν°
μ μμ μ€ λ¨Έμ μλ³μλ λ°μ΄ν°λ² μ΄μ€κ° λμΌν 물리μ /κ°μ λ¨Έμ μμ μ€νλλ ν λμΌνκ² μ μ§λ©λλ€. νλ‘μΈμ€ IDλ MongoDB νλ‘μΈμ€κ° μ¬μμλ λλ§ λ³κ²½λ©λλ€. νμμ€ν¬νλ λ§€μ΄ μ
λ°μ΄νΈλ©λλ€. μΉ΄μ΄ν°μ νμμ€ν¬ν κ°μ λ¨μν μ¦κ°μμΌ Object IDλ₯Ό μΆμΈ‘νλ λ° μ μΌν λμ κ³Όμ λ Mongo DBκ° Object IDλ₯Ό μμ±νκ³ μμ€ν
μμ€μμ Object IDλ₯Ό ν λΉνλ€λ μ¬μ€μ
λλ€.
λꡬ [https://github.com/andresriancho/mongo-objectid-predict](https://github.com/andresriancho/mongo-objectid-predict)λ μμ Object IDλ₯Ό μ£Όλ©΄ (κ³μ μ μμ±νκ³ μμ IDλ₯Ό μ»μ μ μμ΅λλ€), λ€μ κ°μ²΄μ ν λΉλ κ°λ₯μ±μ΄ μλ μ½ 1000κ°μ Object IDλ₯Ό λ°ννλ―λ‘ μ΄λ₯Ό λΈλ£¨νΈν¬μ€νλ©΄ λ©λλ€.
## Post
λ£¨νΈ κΆνμ΄ μλ κ²½μ° **mongodb.conf** νμΌμ **μμ **νμ¬ μ격 μ¦λͺ
μ΄ νμ μλλ‘ ν μ μμ΅λλ€ (_noauth = true_) κ·Έλ¦¬κ³ **μ격 μ¦λͺ
μμ΄ λ‘κ·ΈμΈ**ν μ μμ΅λλ€.
***
κ²½νμ΄ νλΆν ν΄μ»€ λ° λ²κ·Έ λ°μ΄ν° νν°μ μν΅νκΈ° μν΄ [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) μλ²μ μ°Έμ¬νμΈμ!
**Hacking Insights**\
ν΄νΉμ μ€λ¦΄κ³Ό λμ μ λν΄ κΉμ΄ μλ μ½ν
μΈ μ μ°Έμ¬νμΈμ.
**Real-Time Hack News**\
μ€μκ° λ΄μ€μ ν΅μ°°λ ₯μ ν΅ν΄ λΉ λ₯΄κ² λ³ννλ ν΄νΉ μΈκ³μ μ΅μ μ 보λ₯Ό μ μ§νμΈμ.
**Latest Announcements**\
μλ‘μ΄ λ²κ·Έ λ°μ΄ν° μΆμ λ° μ€μν νλ«νΌ μ
λ°μ΄νΈμ λν μ 보λ₯Ό μ μ§νμΈμ.
μ€λ [**Discord**](https://discord.com/invite/N3FrSbmwdy)μ μ°Έμ¬νμ¬ μ΅κ³ μ ν΄μ»€λ€κ³Ό νμ
μ μμνμΈμ!
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}