NoSQLAttack: automate exploit MongoDB server IP on Internet

NoSQLAttack is an open source Python tool to automate expose MongoDB server IP on the internet and disclose the database data by MongoDB default configuration weaknesses and injection attacks. Presently, this project focuses on MongoDB.

It is based on NoSQLMap, tcstool’s popular NoSQL injection tool and shodan, the first search engine for Internet-connected devices.

Some attack tests are based on and extensions of following papers

• Diglossia: Detecting Code Injection Attacks with Precision and Efficiency
• No SQL, No Injection?
• Several thousand MongoDBs without access control on the Internet.

There are two systems for testing NoSQL injection in this project-NoSQLInjectionAttackDemo. #Background NoSQL injection attacks, for example, php array injection, javascript injection and mongo shell injection, endanger mongoDB. There are thousands of mongoDB are exposed on the internet, and the hacker can download data from exposed mongoDB.

Installation

git clone https://github.com/youngyangyang04/NoSQLAttack.git
cd NoSQLAttack
python setup.py install

Usage

================================================

        _   _       _____  _____ _                      

       | \ | |     /  ___||  _  | |                     

       |  \| | ___ \ `--. | | | | |                   

       | . ` |/ _ \ `--. \| | | | |                    

       | |\  | (_) /\__/ /\ \/' / |____          

       \_| \_/\___/\____/  \_/\_\_____/                  

                                        _          

    /\      _      _                   | |  _        

   /  \   _| |_  _| |    _____    ___  | | / /       

  / /\ \ |_   _||_   _| / __  \  / __| | |/ /        

 / /--\ \  | |_   | |_  | |_| | | |__  | |\ \       

/ / -- \ \ \___\  \___\ \______\ \___| | | \_\      

================================================    

NoSQLAttack-v0.2

sunxiuyang04@gmail.com





1-Scan attacked IP

2-Configurate parameters

3-MongoDB Access Attacks

4-Injection Attacks

x-Exit

Demo

Copyright (C) 2017 youngyangyang04

Source: https://github.com/youngyangyang04/