27017,27018 - Pentesting MongoDB

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Maelezo ya Msingi

MongoDB ni mfumo wa usimamizi wa database wa chanzo wazi unaotumia mfano wa database uliotegemea nyaraka kushughulikia aina mbalimbali za data. Inatoa unyumbufu na uwezo wa kupanuka kwa kusimamia data isiyo na muundo au yenye muundo nusu katika programu kama uchambuzi wa data kubwa na usimamizi wa maudhui. Porti ya chaguo-msingi: 27017, 27018

PORT      STATE SERVICE VERSION
27017/tcp open  mongodb MongoDB 2.6.9 2.6.9

Uorodheshaji

Kwa Mkono

from pymongo import MongoClient
client = MongoClient(host, port, username=username, password=password)
client.server_info() #Basic info
#If you have admin access you can obtain more info
admin = client.admin
admin_info = admin.command("serverStatus")
cursor = client.list_databases()
for db in cursor:
print(db)
print(client[db["name"]].list_collection_names())
#If admin access, you could dump the database also

Baadhi ya amri za MongoDB:

show dbs
use <db>
show collections
db.<collection>.find()  #Dump the collection
db.<collection>.count() #Number of records of the collection
db.current.find({"username":"admin"})  #Find in current db the username admin

Moja kwa moja

nmap -sV --script "mongo* and default" -p 27017 <IP> #By default all the nmap mongo enumerate scripts are used

Shodan

Yote za mongodb: “mongodb server information”
Tafuta servers za mongodb zilizo wazi kabisa: “mongodb server information” -“partially enabled”
Auth imewezeshwa sehemu tu: “mongodb server information” “partially enabled”

Kuingia

Kwa chaguo-msingi mongo haitaki nenosiri.
Admin ni hifadhidata ya kawaida ya mongo.

mongo <HOST>
mongo <HOST>:<PORT>
mongo <HOST>:<PORT>/<DB>
mongo <database> -u <username> -p '<password>'

Script ya nmap: mongodb-brute itakagua kama creds zinahitajika.

nmap -n -sV --script mongodb-brute -p 27017 <ip>

Brute force

Angalia ndani ya /opt/bitnami/mongodb/mongodb.conf ili kujua kama credentials zinahitajika:

grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed

Mongo Objectid Predict

Mfano from here.

Mongo Object IDs are 12-byte hexadecimal strings:

Kwa mfano, hivi tunavyoweza kuchambua Object ID halisi iliyorejeshwa na application: 5f2459ac9fa6dc2500314019

5f2459ac: 1596217772 in decimal = Ijumaa, 31 Julai 2020 17:49:32
9fa6dc: Kitambulisho cha mashine
2500: Kitambulisho cha mchakato (Process ID)
314019: Kaunta ya kuongezeka

Kati ya vipengele hapo juu, kitambulisho cha mashine kitatolewa kufanana mradi tu database inaendesha kwenye mashine sawa ya kimwili/virtual. Process ID itabadilika tu ikiwa mchakato wa MongoDB utarejeshwa. Timestamp itasasishwa kila sekunde. Changamoto pekee katika kukisia Object IDs kwa kuongeza tu kaunta na timestamp ni ukweli kwamba MongoDB inazalisha Object IDs na kuzipa Object IDs katika ngazi ya mfumo.

The tool https://github.com/andresriancho/mongo-objectid-predict, given a starting Object ID (you can create an account and get a starting ID), it sends back about 1000 probable Object IDs that could have possibly been assigned to the next objects, so you just need to bruteforce them.

Post

If you are root you can modify the mongodb.conf file so no credentials are needed (noauth = true) and login without credentials.

MongoBleed zlib Memory Disclosure (CVE-2025-14847)

A widespread unauthenticated memory disclosure (“MongoBleed”) impacts MongoDB 3.6–8.2 when the zlib network compressor is enabled. The OP_COMPRESSED header trusts an attacker-supplied uncompressedSize, so the server allocates a buffer of that size and copies it back into responses even though only a much smaller compressed payload was provided. The extra bytes are uninitialized heap data from other connections, /proc, or the WiredTiger cache. Attackers then omit the expected BSON \x00 terminator so MongoDB’s parser keeps scanning that oversized buffer until it finds a terminator, and the error response echoes both the malicious document and the scanned heap bytes pre-auth on TCP/27017.

Exposure requirements & quick checks

Server version must be within the vulnerable ranges (3.6, 4.0, 4.2, 4.4.0–4.4.29, 5.0.0–5.0.31, 6.0.0–6.0.26, 7.0.0–7.0.27, 8.0.0–8.0.16, 8.2.0–8.2.2).
net.compression.compressors or networkMessageCompressors must include zlib (default on many builds). Check it from the shell with:

db.adminCommand({getParameter: 1, networkMessageCompressors: 1})

Mshambuliaji anahitaji tu ufikiaji wa mtandao kwa bandari ya MongoDB. Hakuna uthibitishaji unaohitajika.

Exploitation & harvesting workflow

Anzisha wire-protocol handshake ukitangaza compressors:["zlib"] ili kikao kitumie zlib.
Tuma fremu za OP_COMPRESSED zenye uncompressedSize iliyotangazwa kuwa kubwa mno kuliko payload halisi iliyofunguliwa ili kulazimisha uzalishaji mkubwa wa heap uliojaa data za zamani.
Tengeneza BSON iliyochonganywa bila \x00 ya mwisho ili parser ipite data zinazodhibitiwa na mshambuliaji kuelekea buffer kubwa wakati inatafuta terminator.
MongoDB inatoa kosa linalojumuisha ujumbe wa asili pamoja na bajt yoyote za heap zilizoskanwa, leaking memory. Rudia kwa urefu/offsets tofauti ili kukusanya siri (creds/API keys/session tokens), takwimu za WiredTiger, na artifacts za /proc.

The public PoC automates the probing offsets and carving of the returned fragments:

python3 mongobleed.py --host <target> --max-offset 50000 --output leaks.bin

Ishara za kelele za utambuzi (miunganisho ya kiwango cha juu)

Shambulio kawaida husababisha maombi mengi mafupi yasiyotumika kwa muda mrefu. Angalia kuongezeka kwa miunganisho ya kuingia kwenye mongod/mongod.exe. Mfano wa XQL hunt (>500 connections/min per remote IP, excluding RFC1918/loopback/link-local/mcast/broadcast/reserved ranges by default):

Cortex XQL high-velocity Mongo connections

```sql // High-velocity inbound connections to mongod/mongod.exe (possible MongoBleed probing)

dataset = xdr_data | filter event_type = ENUM.NETWORK | filter lowercase(actor_process_image_name) in (“mongod”, “mongod.exe”) | filter action_network_is_server = true | filter action_remote_ip not in (null, “”) | filter incidr(action_remote_ip, “10.0.0.0/8”) != true and incidr(action_remote_ip, “192.168.0.0/16”) != true and incidr(action_remote_ip, “172.16.0.0/12”) != true and incidr(action_remote_ip, “127.0.0.0/8”) != true and incidr(action_remote_ip, “169.254.0.0/16”) != true and incidr(action_remote_ip, “224.0.0.0/4”) != true and incidr(action_remote_ip, “255.255.255.255/32”) != true and incidr(action_remote_ip, “198.18.0.0/15”) != true | filter action_network_session_duration <= 5000 | bin _time span = 1m | comp count(_time) as Counter by agent_hostname, action_remote_ip, _time | filter Counter >= 500

</details>


## Marejeo

- [Unit 42 – Threat Brief: MongoDB Vulnerability (CVE-2025-14847)](https://unit42.paloaltonetworks.com/mongobleed-cve-2025-14847/)
- [Tenable – CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild](https://www.tenable.com/blog/cve-2025-14847-mongobleed-mongodb-memory-leak-vulnerability-exploited-in-the-wild)
- [MongoDB Security Advisory SERVER-115508](https://jira.mongodb.org/browse/SERVER-115508)
- [Censys – MongoBleed Advisory](https://censys.com/advisory/cve-2025-14847)
- [MongoBleed PoC (joe-desimone/mongobleed)](https://github.com/joe-desimone/mongobleed)

---

> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>