mongo db eng
DESCRIPTION
My presentation about mongoDB vulns from ZeroNights'12. English Version. My E-mail: [email protected] Programs: https://github.com/cyberpunkych/attacking_mongodbTRANSCRIPT
![Page 1: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/1.jpg)
Attacking MongoDB
Firstov Mihail
![Page 2: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/2.jpg)
What is it?
MongoDB — is an open source document-oriented database system.
Features :
1. Ad hoc queries.
2. Indexing
3. Replication
4. Load balancing
5. File storage
6. Aggregation
7. Server-side JavaScript execution
8. Capped collections
![Page 3: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/3.jpg)
Inside mongo source code
CC++JavaJavascript.NET (C# F#, PowerShell,
etc)Node.js PerlPHPPythonRubyScala
There are a lot of drivers for different program languages:
./mongo – official client in C++ and JS
./mongod — Server in C++
![Page 4: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/4.jpg)
Who use mongoDB
List of some big companies that use mongoDB:
1. SAP
2. SourceForge (hosting for open source projects)
3. The New York Times
4. GitHub (social coding project)
5. Foursquare
6. Yandex
![Page 5: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/5.jpg)
A RESTful web service (also called a RESTful web API) is a web service implemented using HTTP and the principles of REST. It is a collection of resources, with four defined aspects
WTF is RESTful?
![Page 6: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/6.jpg)
How I can discover it?
Default port is «28017».
If server was started without “—rest”, you can see this:
![Page 7: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/7.jpg)
How I can discover it?
![Page 8: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/8.jpg)
What kind of vulns are there?
Execution of arbitrary code server JS
Stored XSS in mongoDB log
Stored XSS in queries journal
Cross Site Request Forgery
Our SSJS code
![Page 9: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/9.jpg)
Attack
MongoDBMongoDB
--REST--REST
HackerHacker
Site with Site with mongoDB mongoDB driver supportdriver support
Admin’s browserAdmin’s browser
1) Send “<script>” with our javascript code
Hacker’s Hacker’s ServerServer
![Page 10: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/10.jpg)
Attack
MongoDBMongoDB
--REST--REST
HackerHacker
Site with Site with mongoDB mongoDB driver supportdriver support
Admin’s browserAdmin’s browser
1) Send “<script>” with our javascript code
Hacker’s Hacker’s ServerServer
2) Inject our script in REST interface
![Page 11: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/11.jpg)
Attack
MongoDBMongoDB
--REST--REST
HackerHacker
Site with Site with mongoDB mongoDB driver supportdriver support
Admin’s browserAdmin’s browser
1) Send “<script>” with our javascript code
Hacker’s Hacker’s ServerServer
2) Inject our script in REST interface
3) Exec our js-code in admin’s browser
![Page 12: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/12.jpg)
Attack
MongoDBMongoDB
--REST--REST
HackerHacker
Site with Site with mongoDB mongoDB driver supportdriver support
Admin’s browserAdmin’s browser
1) Send “<script>” with our javascript code
Hacker’s Hacker’s ServerServer
4) Send SSJS command to our script
2) Inject our script in REST interface
3) Exec our js-code in admin’s browser
![Page 13: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/13.jpg)
Attack
MongoDBMongoDB
--REST--REST
HackerHacker
Site with Site with mongoDB mongoDB driver supportdriver support
Admin’s browserAdmin’s browser
1) Send “<script>” with our javascript code
Hacker’s Hacker’s ServerServer
4) Send SSJS command to our script
5) Wait until admin’s browser check our server for the new commands (via JSONP)
2) Inject our script in REST interface
3) Exec our js-code in admin’s browser
![Page 14: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/14.jpg)
Attack
MongoDBMongoDB
--REST--REST
HackerHacker
Site with Site with mongoDB mongoDB driver supportdriver support
Admin’s browserAdmin’s browser
1) Send “<script>” with our javascript code
Hacker’s Hacker’s ServerServer
4) Send SSJS command to our script
5) Wait until admin’s browser check our server for the new commands (via JSONP)
2) Inject our script in REST interface
3) Exec our js-code in admin’s browser
6) Our command gets executed
![Page 15: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/15.jpg)
Attack
MongoDBMongoDB
--REST--REST
HackerHacker
Site with Site with mongoDB mongoDB driver supportdriver support
Admin’s browserAdmin’s browser
1) Send “<script>” with our javascript code
Hacker’s Hacker’s ServerServer
4) Send SSJS command to our script
5) Wait until admin’s browser check our server for the new commands (via JSONP)
7) Send answer to our sniffer
2) Inject our script in REST interface
3) Exec our js-code in admin’s browser
6) Our command gets executed
![Page 16: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/16.jpg)
Attack
MongoDBMongoDB
--REST--REST
HackerHacker
Site with Site with mongoDB mongoDB driver supportdriver support
Admin’s browserAdmin’s browser
1) Send “<script>” with our javascript code
Hacker’s Hacker’s ServerServer
4) Send SSJS command to our script
8) Print result of executed command
5) Wait until admin’s browser check our server for the new commands (via JSONP)
7) Send answer to our sniffer
2) Inject our script in REST interface
3) Exec our js-code in admin’s browser
6) Our command gets executed
![Page 17: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/17.jpg)
Video
![Page 18: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/18.jpg)
Where we can find it?
![Page 19: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/19.jpg)
Stable CRASH
There are a lot of concepts of DoS attacks:
![Page 20: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/20.jpg)
Interesting features
Ls, cat and other admin functions work only with mongoDb console client.
NativeHelper function helps you with system commands:
You can get data in text/plain by reading db-files of mongoDB with any text editor.
![Page 21: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/21.jpg)
Network interaction
Adding user:
Source Code:
Decrypted salt:
![Page 22: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/22.jpg)
Network interaction
Captured packets:
All your data are belong to us:
![Page 23: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/23.jpg)
Network interaction
Algorithm for sniff and brute force password :
Sniff some packets Sniff some packets with mongoDB data with mongoDB data
Look for auth Look for auth packetpacket
ExitExitNot found
Get key, nonce, login Get key, nonce, login from this packetfrom this packet
found
key2 = md5(nonce + user + key2 = md5(nonce + user + md5(user + ":mongo:" + passw)), md5(user + ":mongo:" + passw)), where “passw” is string from dictwhere “passw” is string from dict
Read string Read string from from dictionarydictionary
key key ==== key2 key2
false
printprint user:passwduser:passwd
true
![Page 24: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/24.jpg)
Сетевое взаимодействие
![Page 25: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/25.jpg)
Network interaction. MiTM attack
adminadmin
mongoDBmongoDB
HackerHacker
1. Authorization query
![Page 26: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/26.jpg)
Network interaction. MiTM attack
adminadmin
mongoDBmongoDB
HackerHacker
1. Authorization query
2. Return special nonce using which rainbow tables were generated
![Page 27: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/27.jpg)
Network interaction. MiTM attack
adminadmin
mongoDBmongoDB
HackerHacker
1. Authorization query
2. Return special nonce using which rainbow tables were generated
3. Client sends to us “key” and “login”
![Page 28: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/28.jpg)
Network interaction. MiTM attack
adminadmin
mongoDBmongoDB
HackerHacker
1. Authorization query
2. Return special nonce using which rainbow tables were generated
3. Client sends to us “key” and “login”
4. 4. Brute Force Brute Force password using pre-password using pre-generated rainbow generated rainbow tables for this noncetables for this nonce
![Page 29: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/29.jpg)
Network interaction. MiTM attack
adminadmin
mongoDBmongoDB
HackerHacker
1. Authorization query
2. Return special nonce using which rainbow tables were generated
3. Client sends to us “key” and “login”
4. 4. Brute Force Brute Force password using pre-password using pre-generated rainbow generated rainbow tables for this noncetables for this nonce
5. Successfully login
![Page 30: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/30.jpg)
WTF is BSON?
What is it?
BSON is a computer data BSON is a computer data interchange format used mainly as interchange format used mainly as a data storage and network a data storage and network transfer format in the MongoDB transfer format in the MongoDB database. The name "BSON" is database. The name "BSON" is based on the term JSON and based on the term JSON and stands for "Binary JSON".stands for "Binary JSON".
Example?
Data types:
stringintdouble DateTime byte[] bool nullBsonObjectBsonObject[]
![Page 31: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/31.jpg)
Overwriting variables
Some table with 2 documents:
Our query to database:
Injecting BSON document, and overwriting “isadmin” value:
Testing:
![Page 32: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/32.jpg)
Reading memory
Exploit:
In action:
LengthLength
![Page 33: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/33.jpg)
Reading memory
In action:
![Page 34: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/34.jpg)
Features of some programming languages
Ruby on Rails
nodejs
PHP
![Page 35: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/35.jpg)
Features of some programming languages
Ruby on Rails
![Page 36: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/36.jpg)
Features of some programming languages
Mass assignment in Ruby on Rails:
![Page 37: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/37.jpg)
Features of some programming languages
Mass assignment in Ruby on Rails:
![Page 38: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/38.jpg)
Features of some programming languages
NodeJS
![Page 39: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/39.jpg)
Features of some programming languages
JSON injection в NodeJS + MongoDB:
VULNERABLE SOURCE CODE:VULNERABLE SOURCE CODE:VULNERABLE SOURCE CODE:VULNERABLE SOURCE CODE:
RESULT QUERY:RESULT QUERY:RESULT QUERY:RESULT QUERY:
SENDSEND SENDSEND
Хакер 02/12 (157)
![Page 40: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/40.jpg)
Features of some programming languages
PHP
![Page 41: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/41.jpg)
Features of some programming languages
Types of vulnerabilities:
Bypass authorization via Array in php driver.
Injecting SSJS code.
Blind SSJS injecting, Time-based
![Page 42: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/42.jpg)
Features of some programming languages
As you know, php processes data from GPC as Array:
There is find() function in the official driver for php:
password[$ne]=parol1password[$ne]=parol1
![Page 43: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/43.jpg)
Features of some programming languages
And we got this query to mongoDB collection:
With these techniques you can bypass authorization:
![Page 44: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/44.jpg)
Features of some programming languages
Injecting in SSJS.
For example, we have this vulnerable code:
/
We can see our login, id and pass in answer
Trying to inject in SSJS query:
As you can see, we rewrite “login” value by db.version() value
$q = “function() { var loginn = ‘$login’; var passs = ‘$pass’; db.members.insert({id : 2, $q = “function() { var loginn = ‘$login’; var passs = ‘$pass’; db.members.insert({id : 2, login : loginn, pass : passs}); }”;login : loginn, pass : passs}); }”;$db->execute($q);$db->execute($q);
![Page 45: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/45.jpg)
Features of some programming languages
Sometimes we can’t see answer from our SSJS code.
For this situations we can use Time-Based technique:
A special script was written for this task.
![Page 46: Mongo db eng](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6bd134a7959457f8b4601/html5/thumbnails/46.jpg)
NoSQL-injection Cheat Sheet
db.getName() – Get current DB name
db.members.count() – Get number of documents in the collection
db.members.validate({ full : true}) – Get ALL information about this collection
db.members.stats() – Get information about this collection
db.members.remove() – remove all documents from current collection
db.members.find().skip(0).limit(1) – Get documents from DB (Change only number in skip() function)
db.getMongo().getDBNames().toString() – Get the list of all DBs
db.members.find()[0][‘pass’] – Get “pass” value from current collection