27017,27018 - Pentesting MongoDB

Reading time: 4 minutes

Basic Information

MongoDB ni mfumo wa usimamizi wa hifadhidata wa chanzo wazi unaotumia mfano wa hifadhidata unaotegemea hati kushughulikia aina mbalimbali za data. Inatoa kubadilika na uwezo wa kupanuka kwa usimamizi wa data zisizo na muundo au zenye muundo wa kati katika programu kama uchanganuzi wa data kubwa na usimamizi wa maudhui. Bandari ya kawaida: 27017, 27018

PORT      STATE SERVICE VERSION
27017/tcp open  mongodb MongoDB 2.6.9 2.6.9

Uhesabu

Mikono

from pymongo import MongoClient
client = MongoClient(host, port, username=username, password=password)
client.server_info() #Basic info
#If you have admin access you can obtain more info
admin = client.admin
admin_info = admin.command("serverStatus")
cursor = client.list_databases()
for db in cursor:
print(db)
print(client[db["name"]].list_collection_names())
#If admin access, you could dump the database also

Baadhi ya amri za MongoDB:

show dbs
use <db>
show collections
db.<collection>.find()  #Dump the collection
db.<collection>.count() #Number of records of the collection
db.current.find({"username":"admin"})  #Find in current db the username admin

Kiotomatiki

nmap -sV --script "mongo* and default" -p 27017 <IP> #By default all the nmap mongo enumerate scripts are used

Shodan

• Mongodb yote: "mongodb server information"
• Tafuta seva za mongodb zilizo wazi kabisa: "mongodb server information" -"partially enabled"
• Tu sehemu ya kuanzisha uthibitisho: "mongodb server information" "partially enabled"

Login

Kwa kawaida mongo haitaji nenosiri.
Admin ni hifadhidata ya kawaida ya mongo.

mongo <HOST>
mongo <HOST>:<PORT>
mongo <HOST>:<PORT>/<DB>
mongo <database> -u <username> -p '<password>'

Script ya nmap: mongodb-brute itakagua kama creds zinahitajika.

nmap -n -sV --script mongodb-brute -p 27017 <ip>

Brute force

Angalia ndani ya /opt/bitnami/mongodb/mongodb.conf kujua kama akauti zinahitajika:

grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed

Mongo Objectid Predict

Mfano kutoka hapa.

Mongo Object IDs ni nyuzi 12 za hexadecimal:

Kwa mfano, hapa kuna jinsi tunavyoweza kuchambua ID halisi ya Object iliyorejeshwa na programu: 5f2459ac9fa6dc2500314019

1. 5f2459ac: 1596217772 katika desimali = Ijumaa, 31 Julai 2020 17:49:32
2. 9fa6dc: Kitambulisho cha Mashine
3. 2500: Kitambulisho cha Mchakato
4. 314019: Kihesabu kinachoongezeka

Kati ya vipengele vilivyotajwa, kitambulisho cha mashine kitabaki kuwa sawa kwa muda wote ambapo hifadhidata inafanya kazi kwenye mashine halisi/virtual ile ile. Kitambulisho cha mchakato kitabadilika tu ikiwa mchakato wa MongoDB utaanzishwa upya. Wakati wa alama utaongezwa kila sekunde. Changamoto pekee katika kukisia Object IDs kwa kuongezea tu thamani za kihesabu na wakati, ni ukweli kwamba Mongo DB inazalisha Object IDs na inatoa Object IDs kwa kiwango cha mfumo.

Zana https://github.com/andresriancho/mongo-objectid-predict, ikitolewa ID ya kuanzia ya Object (unaweza kuunda akaunti na kupata ID ya kuanzia), inarudisha karibu Object IDs 1000 zinazoweza kuwa zimepewa vitu vya baadaye, hivyo unahitaji tu kuzishughulikia kwa nguvu.

Post

Ikiwa wewe ni root unaweza kubadilisha faili ya mongodb.conf ili usihitaji akidi (noauth = true) na kuingia bila akidi.