Exploit Notes

MongoDB Pentesting

Last modified: 2022-12-22

Database

MongoDB is a NoSQL database program. Default ports are 27017, 27018.

Enumeration

nmap --script mongodb-info -p 27017 <target-ip>
nmap --script mongodb-databases -p 27017 <target-ip>
  • Brute Force Credentials

    hydra -l username -P passwords.txt <target-ip> mysql
    hydra -L usernames.txt -p password <target-ip> mysql
    

Connect

  1. Local

    mongo
    mongo --port 27017
    
  2. Remote

    mongo --host <target-ip> --port 27017 -u username -p password
    mongo "mongodb://<target-ip>:27017"
    mongo "mongodb://username:password@<target-ip>:27017/?authSource=admin"
    

Basic Commands

  1. Commonly Used

    # All databases
    > show dbs
    # Current database
    > db
    # Switch database if it exists, or create new if not exist
    > use db_name
    # Collections
    > show collections
    # Run javascript file
    > load("example.js")
    
    # List users in the current database
    > show users
    > db.admin.find()
    
    # Create new collection in current database
    > db.createCollection("users")
    
  2. CRUD

    # Create
    > db.<collection_name>.insert({id: "1", username: "admin"})
    # Read
    > db.<collection_name>.find()
    > db.<collection_name>.findOne({"username":"michael"})
    # Update
    > db.<collection_name>.update({id: "1"}, {$set: {username: "king"}})
    # Delete
    > db.<collection_name>.remove({"name": "Micael"})
    # Delete all documents
    > db.<collection_name>.remove({})
    
  3. Operators

    # $eq: equal
    # ex. username is "admin"
    db.<collection_name>.findOne({username: {"$eq": "admin"}})
    
    # $ne: not equal
    # ex. password is not "xyz"
    db.<collection_name>.findOne({id: "1"}, {password: {"$ne": "xyz"}})
    
    # $gt: greater than
    # ex. id is greater than 2
    db.<collection_name>.findOne({id: {"$gt": "2"}})
    
    # $where:
    
    # $exists:
    
    # $regex: 
    

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.