27017,27018 - Pentesting MongoDB

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Kyk na die subskripsie planne!

Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.

Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.

Basiese Inligting

MongoDB is ’n open source databasisbestuurstelsel wat ’n dokumentgeoriënteerde databasismodel gebruik om verskeie vorme van data te hanteer. Dit bied buigbaarheid en skaalbaarheid vir die bestuur van ongestruktureerde of semi-gestruktureerde data in toepassings soos big data-analise en inhoudsbestuur. Standaardpoort: 27017, 27018

PORT      STATE SERVICE VERSION
27017/tcp open  mongodb MongoDB 2.6.9 2.6.9

Opsporing

Handmatig

from pymongo import MongoClient
client = MongoClient(host, port, username=username, password=password)
client.server_info() #Basic info
#If you have admin access you can obtain more info
admin = client.admin
admin_info = admin.command("serverStatus")
cursor = client.list_databases()
for db in cursor:
print(db)
print(client[db["name"]].list_collection_names())
#If admin access, you could dump the database also

Sommige MongoDB kommando’s:

show dbs
use <db>
show collections
db.<collection>.find()  #Dump the collection
db.<collection>.count() #Number of records of the collection
db.current.find({"username":"admin"})  #Find in current db the username admin

Outomaties

nmap -sV --script "mongo* and default" -p 27017 <IP> #By default all the nmap mongo enumerate scripts are used

Shodan

Alle mongodb: "mongodb server information"
Soek na volledig oop mongodb-bedieners: "mongodb server information" -"partially enabled"
Slegs gedeeltelik geaktiveerde auth: "mongodb server information" "partially enabled"

Teken in

Standaard vereis mongo nie ’n wagwoord nie.
Admin is ’n algemene mongo databasis.

mongo <HOST>
mongo <HOST>:<PORT>
mongo <HOST>:<PORT>/<DB>
mongo <database> -u <username> -p '<password>'

Die nmap skrip: mongodb-brute sal kontroleer of creds benodig word.

nmap -n -sV --script mongodb-brute -p 27017 <ip>

Brute force

Kyk in /opt/bitnami/mongodb/mongodb.conf om te sien of credentials benodig word:

grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed

Mongo Objectid Predict

Example from here.

Mongo Object IDs is 12-byte hexadecimal stringe:

Byvoorbeeld, so kan ons ’n werklike Object ID wat deur ’n aansoek teruggegee word, ontleed: 5f2459ac9fa6dc2500314019

5f2459ac: 1596217772 in desimaal = Vrydag, 31 Julie 2020 17:49:32
9fa6dc: Masjienidentifiseerder
2500: Proses-ID
314019: ’n inkrementele teller

Van bogenoemde elemente sal die masjienidentifiseerder dieselfde bly solank die databasis op dieselfde fisiese/virtuele masjien loop. Proses-ID sal slegs verander as die MongoDB-proses herbegin word. Tydstempel word elke sekonde opgedateer. Die enigste uitdaging om Object IDs te raai deur bloot die teller- en tydstempelwaardes te verhoog, is die feit dat Mongo DB Object IDs op stelselvlak genereer en toewys.

Die tool https://github.com/andresriancho/mongo-objectid-predict, gegewe ’n beginnende Object ID (jy kan ’n rekening skep en ’n beginnende ID kry), stuur ongeveer 1000 waarskynlike Object IDs terug wat moontlik aan die volgende voorwerpe toegeken kon wees, dus hoef jy net om hulle te bruteforce.

Post

As jy root is kan jy die mongodb.conf-lêer wysig sodat geen inlogbewyse benodig word (noauth = true) en aanmeld sonder inlogbewyse.

MongoBleed zlib Memory Disclosure (CVE-2025-14847)

A widespread unauthenticated memory disclosure (“MongoBleed”) impacts MongoDB 3.6–8.2 when the zlib network compressor is enabled. The OP_COMPRESSED header trusts an attacker-supplied uncompressedSize, so the server allocates a buffer of that size and copies it back into responses even though only a much smaller compressed payload was provided. The extra bytes are uninitialized heap data from other connections, /proc, or the WiredTiger cache. Attackers then omit the expected BSON \x00 terminator so MongoDB’s parser keeps scanning that oversized buffer until it finds a terminator, and the error response echoes both the malicious document and the scanned heap bytes pre-auth on TCP/27017.

Exposure requirements & quick checks

Bedienerweergawe moet binne die kwesbare reekse val (3.6, 4.0, 4.2, 4.4.0–4.4.29, 5.0.0–5.0.31, 6.0.0–6.0.26, 7.0.0–7.0.27, 8.0.0–8.0.16, 8.2.0–8.2.2).
net.compression.compressors of networkMessageCompressors moet zlib insluit (standaard in baie builds). Kontroleer dit van die shell met:

db.adminCommand({getParameter: 1, networkMessageCompressors: 1})

Die aanvaller het slegs netwerktoegang tot die MongoDB-poort nodig. Geen authentication is nodig.

Exploitation & harvesting werkvloei

Inisieer die wire-protocol handshake wat compressors:["zlib"] adverteer sodat die session zlib gebruik.
Stuur OP_COMPRESSED frames waarvan die verklaarde uncompressedSize veel groter is as die werklike gedecomprimeerde payload om oversized heap allocation full of old data af te dwing.
Skep die ingeslote BSON sonder ’n finale \x00 sodat die parser verby attacker-controlled data in die oversized buffer loop terwyl hy na ’n terminator soek.
MongoDB gee ’n fout wat die oorspronklike boodskap insluit plus watter heap bytes ookal geskim is, leaking memory. Herhaal met wisselende lengtes/offsets om secrets (creds/API keys/session tokens), WiredTiger stats, en /proc artifacts saam te stel.

Die publieke PoC outomatiseer die probing offsets en carving van die teruggestuurde fragments:

python3 mongobleed.py --host <target> --max-offset 50000 --output leaks.bin

Opsporings-ruissein (hoëtempo-verbindinge)

Die aanval genereer gewoonlik baie kortstondige versoeke. Let op skielike styginge in inkomende verbindings na mongod/mongod.exe. Voorbeeld XQL hunt (>500 connections/min per remote IP, uitgesluit RFC1918/loopback/link-local/mcast/broadcast/reserved reekse, standaard):

Cortex XQL hoëspoed Mongo-verbindinge

```sql // High-velocity inbound connections to mongod/mongod.exe (possible MongoBleed probing)

dataset = xdr_data | filter event_type = ENUM.NETWORK | filter lowercase(actor_process_image_name) in (“mongod”, “mongod.exe”) | filter action_network_is_server = true | filter action_remote_ip not in (null, “”) | filter incidr(action_remote_ip, “10.0.0.0/8”) != true and incidr(action_remote_ip, “192.168.0.0/16”) != true and incidr(action_remote_ip, “172.16.0.0/12”) != true and incidr(action_remote_ip, “127.0.0.0/8”) != true and incidr(action_remote_ip, “169.254.0.0/16”) != true and incidr(action_remote_ip, “224.0.0.0/4”) != true and incidr(action_remote_ip, “255.255.255.255/32”) != true and incidr(action_remote_ip, “198.18.0.0/15”) != true | filter action_network_session_duration <= 5000 | bin _time span = 1m | comp count(_time) as Counter by agent_hostname, action_remote_ip, _time | filter Counter >= 500

</details>


## Verwysings

- [Unit 42 – Threat Brief: MongoDB Vulnerability (CVE-2025-14847)](https://unit42.paloaltonetworks.com/mongobleed-cve-2025-14847/)
- [Tenable – CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild](https://www.tenable.com/blog/cve-2025-14847-mongobleed-mongodb-memory-leak-vulnerability-exploited-in-the-wild)
- [MongoDB Security Advisory SERVER-115508](https://jira.mongodb.org/browse/SERVER-115508)
- [Censys – MongoBleed Advisory](https://censys.com/advisory/cve-2025-14847)
- [MongoBleed PoC (joe-desimone/mongobleed)](https://github.com/joe-desimone/mongobleed)

---

> [!TIP]
> Leer en oefen AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Leer en oefen GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Leer en oefen Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Ondersteun HackTricks</summary>
>
> - Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
> - **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>