NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases, as well as web applications using NoSQL in order to disclose data from the database. It is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular SQL injection tool SQLmap, and its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, "Abusing NoSQL Databases". Presently the tool's exploits are focused around MongoDB, but additional support for other NoSQL based platforms such as CouchDB, Redis, and Cassandra are planned in future releases. The current project goals are to provide a penetration testing tool to simplify attacks on MongoDB servers and web applications as well as proof of concept attacks to debunk the premise that NoSQL applications are impervious to SQL injection.
- Automated MongoDB and CouchDB database enumeration and cloning attacks.
- Extraction of database names, users, and password hashes through MongoDB web applications.
- Scanning subnets or IP lists for MongoDB and CouchDB databases with default access and enumerating versions.
- Dictionary and brute force password cracking of recovered MongoDB and CouchDB hashes.
- PHP application parameter injection attacks against MongoClient to return all database records.
- More coming soon!
0.6 builds (Written entirely by wonderful contributors in the Github community, thanks so much!):
- Web app attacks-Added support for sending user supplied headers (thanks gpapakyriakopoulos)
- Web app attacks-Migrated all requests from urllib to urllib2 to support header input (thanks gpapakyriakopoulos)
- Bugfix-No URL parameter supplied with GET method would result in an AttributeError Exception (thanks gpapakyriakopoulos)
- Interface-Corrected spelling errors in output (thanks akash0x53)
- Setup-New installation process added which uses Python's setuptools instead of relying on BASH and successful dependency installs (thanks akash0x53)
- Code cleanup-Stripped off trailing whitespaces (thanks akash0x53)
v0.5 (MAJOR RELEASE):
- Web app attacks-Added $gt no value attack for PHP/ExpressJS applications. Thanks go to Petko D. Petkov for this one!
- Web app attacks-Corrected labeling to reflect associative array attacks affecting both PHP and ExpressJS.
- General-Phase III of code cleanup project; each NoSQL platform is now a free standing Python module that can be imported into other code.
- Scanner-Added support for CouchDB scanning and version recording.
- Net attacks-Added support for CouchDB network level and access attacks including database replication and password cracking.
- General-Added "Change Platform" to Main Menu to toggle between NoSQL platforms and automatically set the correct options.
- Bugfix: Fixed condition which caused net attack authentication not to work.
- Implemented better Python structure for startup and exception handling.
v0.4 (GIANT MAJOR RELEASE!):
- Web app attacks-Added HTTPS support
- Web app attacks-Added logic for detecting and reporting NoSQL errors returned by the web application to reduce false positives and provide additional insight into injection vectors.
- General-Phase II of code cleanup and organization project.
- MongoDB Scanner-The scanner now records the version of MongoDB detected on the server.
- MongoDB Scanner-Filtered MongoDB targets with non-default access model from results/target list.
- MongoDB Scanner-Set socket timeouts for massive speed improvements over previous versions.
- MongoDB Scanner-Added the ability to ping the host before trying to establish a MongoDB connection.
- MongoDB Scanner-Added option to save scanner results to a CSV file.
- Password Cracker-Added brute forcing for password cracking.
- Net Attacks-Changed attacks to menu-driven interface for direct access to the needed attack instead of having to go through yes/no menus for all attacks.
- Net Attacks-Added automated testing to check and see if the MongoDB server needs credentials and prompts if needed instead of asking the user to specify.
- Changed code for yes/no input handling.
- Fixed crash which occurred when the web application did not return an HTTP 200 response.
v0.3 (MAJOR RELEASE!):
- Added beta support for injection testing using POST requests.
- Added the ability to extract the database name, database usernames, and password hashes on a vulnerable web application on MongoDB <2.4.
- Added general MongoDB version detection from injection results (<2.4 or >2.4).
- Added the ability to target MongoDB servers running on a port other than the default of 27017.
- Added user input validation for legal IP addresses.
- Added toggle for verbose output or a default standard output.
- UI cleanup and enhancements.
- Added clean exit with CTRL+C.
- Bugfix: Resolved the inability to specify targets by hostname.
- Bugfix: Resolved crash trying to enumerate GridFS if the specified credentials can't enumerate databases.
- Bugfix: Resolved crash trying to steal databases if the specified credentials can't enumerate databases.
- Bugfix: Added graceful handling if no destination IP is set for database cloning.
- Consolidated results checking into one function for easier logic enhancements.
- Implemented first phase of a massive code cleanup.
- Added slick ASCII art banner :-)
v0.2 (MAJOR RELEASE!):
- Added integrated scanner of a subnet or IP list for default MongoDB access and ability to send targets directly to NoSQLMap.
- Added dictionary attacks on stored MongoDB password hashes contributed by Josh Tower.
- Added an installer shell script to automate dependency installation on Debian and Red Hat systems.
- Added enumeration of files stored inside GridFS.
- Added parsing of saved HTTP requests from Burp Suite to populate options.
- Added notification if a database was replicated, but text indexes could not be moved.
- Fixed some minor interface bugs and added UI improvements, such as headings for each module when they are executed.
- Miscellaneous code cleanup and bugfixes.
v0.15b-Added error handling for exceptions thrown when parsing URLs/parameters and options are set incorrectly.
v0.15a-Fixed critical issue that caused web app testing to crash in certain conditions; Fixed issue causing extra & to be added to the end of .this injection URLs.
v0.15-Added Mongo authentication support; Added collection name enumeration; added extraction of database users, roles, and password hashes; fixed bug with loading options file that caused attacker's local IP not to load.
- Added this not equals injection attack to return all database records.
- Added timing based attacks similar to traditional blind SQL injection.
- Output can now be saved to a file.
- Made small UI improvement to the URL parameter selection.
- Added ability to load and save attack options.
- Added ability to select injected random parameter format (i.e. alphanumeric, letters only, numbers only, email address)
- Fixed crash when web application doesn't respond to base request.
v0.09-Improved output; fixed bug with integer injection testing; added some code comments.
v0.08a-Fixed broken Metasploit exploit launching for Mongo targets.
v0.08-Several error handling corrections and general bugfixes; UI enhancements to the options menu.
v0.06-Initial public release.
- More platform support
- More complex attacks
- Better exploits
- Slicker code
On a Debian or Red Hat based system, the setup.sh script may be run as root to automate the installation of NoSQLMap's dependencies.
Varies based on features used:
- Metasploit Framework,
- Python with PyMongo,
- and urllib available.
- A local, default MongoDB instance for cloning databases to. Check here for installation instructions.
There are some various other libraries required that a normal Python installation should have readily available. Your milage may vary, check the script.
sudo python setup.py install
NoSQLMap uses a menu based system for building attacks. Upon starting NoSQLMap you are presented with with the main menu:
1-Set options (do this first) 2-NoSQL DB Access Attacks 3-NoSQL Web App attacks 4-Scan for Anonymous MongoDB Access x-Exit
Explanation of options:
1. Set target host/IP-The target web server (i.e. www.google.com) or MongoDB server you want to attack. 2. Set web app port-TCP port for the web application if a web application is the target. 3. Set URI Path-The portion of the URI containing the page name and any parameters but NOT the host name (e.g. /app/acct.php?acctid=102). 4. Set HTTP Request Method (GET/POST)-Set the request method to a GET or POST; Presently only GET is implemented but working on implementing POST requests exported from Burp. 5. Set my local Mongo/Shell IP-Set this option if attacking a MongoDB instance directly to the IP of a target Mongo installation to clone victim databases to or open Meterpreter shells to. 6. Set shell listener port-If opening Meterpreter shells, specify the port. 7. Load options file-Load a previously saved set of settings for 1-6. 8. Load options from saved Burp request-Parse a request saved from Burp Suite and populate the web application options. 9. Save options file-Save settings 1-6 for future use. x. Back to main menu-Use this once the options are set to start your attacks.