NoSQLMap
is an open source Python tool designed to audit for as well as automate
injection attacks and exploit default configuration weaknesses in NoSQL
databases, as well as web applications using NoSQL in order to disclose data
from the database. It is named as a tribute to Bernardo Damele and Miroslav’s
Stampar’s popular SQL injection tool SQLmap, and its concepts are based on and
extensions of Ming Chow’s excellent presentation at Defcon 21, “Abusing NoSQL
Databases”. Presently the tool’s exploits are focused around MongoDB, but
additional support for other NoSQL based platforms such as CouchDB, Redis, and
Cassandra are planned in future releases. The current project goals are
to provide a penetration testing tool to simplify attacks on MongoDB servers
and web applications as well as proof of concept attacks to debunk the premise
that NoSQL applications are impervious to SQL injection.
Features
·
Automated MongoDB database
enumeration and cloning attacks.
·
Scanning subnets or IP lists for
MongoDB databases with default access.
·
Dictionary password cracking of
recovered MongoDB hashes.
·
PHP application parameter
injection attacks against MongoClient to return all database records.
·
Javascript function variable
escaping and arbitrary code injection to return all database records.
·
Timing based attacks similar to
blind SQL injection to validate Javascript injection vulnerabilities with no
feedback from the application.
Requirements
On a
Debian or Red Hat based system, the setup.sh script may be run as root to
automate the installation of NoSQLMap’s dependencies.
Varies
based on features used:
·
Metasploit Framework,
·
Python with PyMongo,
·
httplib2,
·
and urllib available.
·
A local, default MongoDB instance
for cloning databases to. Check here for installation
instructions.
There are
some various other libraries required that a normal Python installation should
have readily available. Your milage may vary, check the script.
Please Like subscribe and follow
No comments:
Post a Comment