Sunday, February 9, 2014

No SQLmap (automated SQL injections)

NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases, as well as web applications using NoSQL in order to disclose data from the database.  It is named as a tribute to Bernardo Damele and Miroslav’s Stampar’s popular SQL injection tool SQLmap, and its concepts are based on and extensions of Ming Chow’s excellent presentation at Defcon 21, “Abusing NoSQL Databases”.  Presently the tool’s exploits are focused around MongoDB, but additional support for other NoSQL based platforms such as CouchDB, Redis, and Cassandra are planned in future releases.  The current project goals are to provide a penetration testing tool to simplify attacks on MongoDB servers and web applications as well as proof of concept attacks to debunk the premise that NoSQL applications are impervious to SQL injection.

·        Automated MongoDB database enumeration and cloning attacks.
·        Scanning subnets or IP lists for MongoDB databases with default access.
·        Dictionary password cracking of recovered MongoDB hashes.
·        PHP application parameter injection attacks against MongoClient to return all database records.
·        Javascript function variable escaping and arbitrary code injection to return all database records.
·        Timing based attacks similar to blind SQL injection to validate Javascript injection vulnerabilities with no feedback from the application.

On a Debian or Red Hat based system, the script may be run as root to automate the installation of NoSQLMap’s dependencies.
Varies based on features used:
·        Metasploit Framework,
·        Python with PyMongo,
·        httplib2,
·        and urllib available.
·        A local, default MongoDB instance for cloning databases to. Check here for installation instructions.
There are some various other libraries required that a normal Python installation should have readily available. Your milage may vary, check the script.

Please Like subscribe and follow

No comments:

Post a Comment

Not hacking but a game made by me

Hey guys I recently made this game for an english project at my school if you like macbeth or just like rpg's it's for you. I have ...