27017,27018 - Pentesting MongoDB

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

基本信息

MongoDB 是一个 开源 的数据库管理系统,采用 面向文档的数据库模型 来处理多种形式的数据。它为在大数据分析和内容管理等应用中管理非结构化或半结构化数据提供了灵活性和可扩展性。默认端口: 27017, 27018

PORT      STATE SERVICE VERSION
27017/tcp open  mongodb MongoDB 2.6.9 2.6.9

枚举

手动

from pymongo import MongoClient
client = MongoClient(host, port, username=username, password=password)
client.server_info() #Basic info
#If you have admin access you can obtain more info
admin = client.admin
admin_info = admin.command("serverStatus")
cursor = client.list_databases()
for db in cursor:
print(db)
print(client[db["name"]].list_collection_names())
#If admin access, you could dump the database also

一些 MongoDB 命令:

show dbs
use <db>
show collections
db.<collection>.find()  #Dump the collection
db.<collection>.count() #Number of records of the collection
db.current.find({"username":"admin"})  #Find in current db the username admin

自动

nmap -sV --script "mongo* and default" -p 27017 <IP> #By default all the nmap mongo enumerate scripts are used

Shodan

  • 所有 mongodb: "mongodb server information"
  • 搜索完全开放的 mongodb 服务器: "mongodb server information" -"partially enabled"
  • 仅部分启用 auth: "mongodb server information" "partially enabled"

登录

默认情况下 mongo 不需要密码.
Admin 是常见的 mongo 数据库。

mongo <HOST>
mongo <HOST>:<PORT>
mongo <HOST>:<PORT>/<DB>
mongo <database> -u <username> -p '<password>'

nmap 脚本: mongodb-brute 会检查是否需要 creds。

nmap -n -sV --script mongodb-brute -p 27017 <ip>

Brute force

查看 /opt/bitnami/mongodb/mongodb.conf 以确定是否需要 credentials:

grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed

Mongo Objectid Predict

Example from here.

Mongo Object IDs are 12-byte hexadecimal strings:

http://techidiocy.com/_id-objectid-in-mongodb/

For example, here’s how we can dissect an actual Object ID returned by an application: 5f2459ac9fa6dc2500314019

  1. 5f2459ac: 1596217772 in decimal = Friday, 31 July 2020 17:49:32
  2. 9fa6dc: 机器标识符
  3. 2500: 进程 ID
  4. 314019: 递增计数器

在上述元素中,只要数据库运行在相同的物理/虚拟机上,machine identifier 就会保持不变。Process ID 仅在 MongoDB 进程重启时改变。Timestamp 每秒更新一次。仅通过简单地递增计数器和时间戳来猜测 Object IDs 的唯一挑战在于 MongoDB 在系统级别生成并分配 Object IDs。

The tool https://github.com/andresriancho/mongo-objectid-predict, given a starting Object ID (you can create an account and get a starting ID), it sends back about 1000 probable Object IDs that could have possibly been assigned to the next objects, so you just need to bruteforce them.

后续

If you are root you can modify the mongodb.conf file so no credentials are needed (noauth = true) and login without credentials.

MongoBleed zlib Memory Disclosure (CVE-2025-14847)

A widespread unauthenticated memory disclosure (“MongoBleed”) impacts MongoDB 3.6–8.2 when the zlib network compressor is enabled. The OP_COMPRESSED header trusts an attacker-supplied uncompressedSize, so the server allocates a buffer of that size and copies it back into responses even though only a much smaller compressed payload was provided. The extra bytes are uninitialized heap data from other connections, /proc, or the WiredTiger cache. Attackers then omit the expected BSON \x00 terminator so MongoDB’s parser keeps scanning that oversized buffer until it finds a terminator, and the error response echoes both the malicious document and the scanned heap bytes pre-auth on TCP/27017.

Exposure requirements & quick checks

  • 服务器版本必须落在易受影响的范围内(3.6, 4.0, 4.2, 4.4.0–4.4.29, 5.0.0–5.0.31, 6.0.0–6.0.26, 7.0.0–7.0.27, 8.0.0–8.0.16, 8.2.0–8.2.2)。
  • net.compression.compressors or networkMessageCompressors must include zlib (default on many builds). Check it from the shell with:
db.adminCommand({getParameter: 1, networkMessageCompressors: 1})
  • 攻击者只需要对 MongoDB 端口有网络访问。无需认证。

利用与收集工作流程

  1. 发起 wire-protocol 握手,宣告 compressors:["zlib"],使会话使用 zlib。
  2. 发送 OP_COMPRESSED 帧,其声明的 uncompressedSize 远大于真实解压后的有效负载,以强制发生一个充满旧数据的超大堆分配。
  3. 构造嵌入的 BSON 没有末尾的 \x00,这样解析器在寻找终止符时会越过攻击者控制的数据,进入超大缓冲区。
  4. MongoDB 会抛出一个错误,错误中包含原始消息以及被扫描的任意堆字节,leaking memory。针对不同长度/偏移重复此操作,以聚合 secrets (creds/API keys/session tokens)、WiredTiger 统计信息和 /proc 工件。

该公开 PoC 自动化偏移探测并提取返回的片段:

python3 mongobleed.py --host <target> --max-offset 50000 --output leaks.bin

检测噪声信号(高频连接)

攻击通常会产生大量短生命周期的请求。注意入站到 mongod/mongod.exe 的连接激增。示例 XQL hunt(每个远程 IP >500 连接/分钟,默认排除 RFC1918/loopback/link-local/mcast/broadcast/reserved 范围):

Cortex XQL 高速 Mongo 连接 ```sql // High-velocity inbound connections to mongod/mongod.exe (possible MongoBleed probing)

dataset = xdr_data | filter event_type = ENUM.NETWORK | filter lowercase(actor_process_image_name) in (“mongod”, “mongod.exe”) | filter action_network_is_server = true | filter action_remote_ip not in (null, “”) | filter incidr(action_remote_ip, “10.0.0.0/8”) != true and incidr(action_remote_ip, “192.168.0.0/16”) != true and incidr(action_remote_ip, “172.16.0.0/12”) != true and incidr(action_remote_ip, “127.0.0.0/8”) != true and incidr(action_remote_ip, “169.254.0.0/16”) != true and incidr(action_remote_ip, “224.0.0.0/4”) != true and incidr(action_remote_ip, “255.255.255.255/32”) != true and incidr(action_remote_ip, “198.18.0.0/15”) != true | filter action_network_session_duration <= 5000 | bin _time span = 1m | comp count(_time) as Counter by agent_hostname, action_remote_ip, _time | filter Counter >= 500

</details>


## 参考资料

- [Unit 42 – 威胁简报:MongoDB Vulnerability (CVE-2025-14847)](https://unit42.paloaltonetworks.com/mongobleed-cve-2025-14847/)
- [Tenable – CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild](https://www.tenable.com/blog/cve-2025-14847-mongobleed-mongodb-memory-leak-vulnerability-exploited-in-the-wild)
- [MongoDB 安全公告 SERVER-115508](https://jira.mongodb.org/browse/SERVER-115508)
- [Censys – MongoBleed Advisory](https://censys.com/advisory/cve-2025-14847)
- [MongoBleed PoC (joe-desimone/mongobleed)](https://github.com/joe-desimone/mongobleed)

---

> [!TIP]
> 学习和实践 AWS 黑客技术:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> 学习和实践 GCP 黑客技术:<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> 学习和实践 Azure 黑客技术:<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>支持 HackTricks</summary>
>
> - 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
> - **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。
>
> </details>