MongoDB Pentesting
Last modified: 2022-12-22
MongoDB is a NoSQL database program. Default ports are 27017, 27018.
Enumeration
nmap --script mongodb-info -p 27017 <target-ip>
nmap --script mongodb-databases -p 27017 <target-ip>
-
Brute Force Credentials
hydra -l username -P passwords.txt <target-ip> mysql hydra -L usernames.txt -p password <target-ip> mysql
Connect
-
Local
mongo mongo --port 27017
-
Remote
mongo --host <target-ip> --port 27017 -u username -p password mongo "mongodb://<target-ip>:27017" mongo "mongodb://username:password@<target-ip>:27017/?authSource=admin"
Basic Commands
-
Commonly Used
# All databases > show dbs # Current database > db # Switch database if it exists, or create new if not exist > use db_name # Collections > show collections # Run javascript file > load("example.js") # List users in the current database > show users > db.admin.find() # Create new collection in current database > db.createCollection("users")
-
CRUD
# Create > db.<collection_name>.insert({id: "1", username: "admin"}) # Read > db.<collection_name>.find() > db.<collection_name>.findOne({"username":"michael"}) # Update > db.<collection_name>.update({id: "1"}, {$set: {username: "king"}}) # Delete > db.<collection_name>.remove({"name": "Micael"}) # Delete all documents > db.<collection_name>.remove({})
-
Operators
# $eq: equal # ex. username is "admin" db.<collection_name>.findOne({username: {"$eq": "admin"}}) # $ne: not equal # ex. password is not "xyz" db.<collection_name>.findOne({id: "1"}, {password: {"$ne": "xyz"}}) # $gt: greater than # ex. id is greater than 2 db.<collection_name>.findOne({id: {"$gt": "2"}}) # $where: # $exists: # $regex: