Jump to content
Fi8sVrs

NoSQLMap

Recommended Posts

  • Active Members
Posted

NoSQLMap v0.4

Introduction

NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database.

It is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular SQL injection tool sqlmap, and its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, "Abusing NoSQL Databases". Presently the tool's exploits are focused around MongoDB, but additional support for other NoSQL based platforms such as CouchDB, Redis, and Cassandra are planned in future releases.

Requirements

On a Debian or Red Hat based system, the setup.sh script may be run as root to automate the installation of NoSQLMap's dependencies.

Varies based on features used:


  • Metasploit Framework,
  • Python with PyMongo,
  • httplib2,
  • and urllib available.
  • A local, default MongoDB instance for cloning databases to. Check here for installation instructions.

There are some various other libraries required that a normal Python installation should have readily available. Your milage may vary, check the script.

Setup

An experimental setup.sh script for Debian and Red Hat based systems is included. Any feedback or suggestions on improving this process is welcome.

Usage

-Start with

./nosqlmap.py 

or

python nosqlmap.py.

NoSQLMap uses a menu based system for building attacks. Upon starting NoSQLMap you are presented with with the main menu:


1-Set options (do this first)
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
x-Exit

Explanation of options:

1. Set target host/IP-The target web server (i.e. www.google.com) or MongoDB server you want to attack.
2. Set web app port-TCP port for the web application if a web application is the target.
3. Set URI Path-The portion of the URI containing the page name and any parameters but NOT the host name (e.g. /app/acct.php?acctid=102).
4. Set HTTP Request Method (GET/POST)-Set the request method to a GET or POST; Presently only GET is implemented but working on implementing POST requests exported from Burp.
5. Set my local Mongo/Shell IP-Set this option if attacking a MongoDB instance directly to the IP of a target Mongo installation to clone victim databases to or open Meterpreter shells to.
6. Set shell listener port-If opening Meterpreter shells, specify the port.
7. Load options file-Load a previously saved set of settings for 1-6.
8. Load options from saved Burp request-Parse a request saved from Burp Suite and populate the web application options.
9. Save options file-Save settings 1-6 for future use.
x. Back to main menu-Use this once the options are set to start your attacks.

Once options are set head back to the main menu and select DB access attacks or web app attacks as appropriate for whether you are attacking a NoSQL management port or web application. The rest of the tool is "wizard" based and fairly self explanatory, but send emails to nosqlmap@gmail.com or find me on Twitter @tcstoolHax0r if you have any questions or suggestions.

Demo videos:

Download:

https://github.com/tcstool/NoSQLMap/archive/0.5.zip

https://github.com/tcstool/NoSQLMap

Official

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...