MongoDB 27017

Enumeration and exploitation tricks for MongoDB

#NMAP

nmap --script mongodb-info -p 27017 10.0.0.0
nmap --script mongodb-databases -p 27017 10.0.0.0

#Bruteforcing

hydra -l username -P passwords.txt 10.0.0.0 mysql
hydra -L usernames.txt -p password 10.0.0.0 mysql

#Connect

# Local
mongo
mongo --port 27017

# Remote
mongo --host <target-ip> --port 27017 -u username -p password
mongo "mongodb://<target-ip>:27017"
mongo "mongodb://username:password@<target-ip>:27017/?authSource=admin"

#Basic Commands

# All databases
> show dbs
# Current database
> db
# Switch database if it exists, or create new if not exist
> use db_name
# Collections
> show collections
# Run javascript file
> load("example.js")

# List users in the current database
> show users
> db.admin.find()

# Create new collection in current database
> db.createCollection("users")

#Operators

# $eq: equal
# ex. username is "admin"
db.<collection_name>.findOne({username: {"$eq": "admin"}})

# $ne: not equal
# ex. password is not "xyz"
db.<collection_name>.findOne({id: "1"}, {password: {"$ne": "xyz"}})

# $gt: greater than
# ex. id is greater than 2
db.<collection_name>.findOne({id: {"$gt": "2"}})

# $where:

# $exists:

# $regex: