Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 09:27:32 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting/27017-27018-mongodb.md

2.3 KiB
Raw Blame History

27017,27018 - Pentesting MongoDB

Basic Information

MongoDB is an open source database management system DBMS that uses a document-oriented database model which supports various forms of data. From [here](https://searchdatamanagement.techtarget.com/definition/MongoDB)

Default port: 27017, 27018

PORT      STATE SERVICE VERSION
27017/tcp open  mongodb MongoDB 2.6.9 2.6.9

Enumeration

Manual

from pymongo import MongoClient
client = MongoClient(host, port, username=username, password=password)
client.server_info() #Basic info
#If you have admin access you can obtain more info
admin = client.admin
admin_info = admin.command("serverStatus")
cursor = client.list_databases()
for db in cursor:
    print(db)
    print(client[db["name"]].list_collection_names())
#If admin access, you could dump the database also

Some MongoDB commnads:

show dbs
use <db>
show collections
db.<collection>.find()  #Dump the collection
db.<collection>.count() #Number of records of the collection
db.current.find({"username":"admin"})  #Find in current db the username admin

Automatic

nmap -sV --script "mongo* and default" -p 27017 <IP> #By default all the nmap mongo enumerate scripts are used

Shodan

  • All mongodb: "mongodb server information"
  • Search for full open mongodb servers: "mongodb server information" -"partially enabled"
  • Only partially enable auth: "mongodb server information" "partially enabled"

Login

By default mongo does not require password.
Admin is a common mongo database.

mongo <HOST>
mongo <HOST>:<PORT>
mongo <HOST>:<PORT>/<DB>
mongo <database> -u <username> -p '<password>'

The nmap script: mongodb-brute will check if creds are needed.

nmap -n -sV --script mongodb-brute -p 27017 <ip>

Brute force****

Look inside /opt/bitnami/mongodb/mongodb.conf to know if credentials are needed:

grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed

Post

If you are root you can modify the mongodb.conf file so no credentials are needed _noauth = true_ and login without credentials.