This document discusses attacking MongoDB databases. It begins by describing what MongoDB is and some of its key features. It then discusses how to discover MongoDB instances using default ports and REST interfaces. Several types of vulnerabilities in MongoDB are listed, including execution of arbitrary JavaScript code and cross-site request forgery. The document demonstrates how to inject JavaScript into a site's REST interface to execute code in an administrator's browser and gain access. It provides an overview of how MongoDB is used by major companies and programming language drivers. Network interactions for authentication brute forcing and man-in-the-middle attacks are depicted. The document concludes with discussions of BSON data format, overwriting variables, reading memory, and features in languages like Ruby on Rails

1. Attacking MongoDB
Firstov Mihail

2. What is it?
MongoDB — is an open source document-oriented database system.
Features :
1. Ad hoc queries.
2. Indexing
3. Replication
4. Load balancing
5. File storage
6. Aggregation
7. Server-side JavaScript execution
8. Capped collections

3. Inside mongo source code
./mongod — Server in C++
./mongo – official client in
C++ and JS
There are a lot of drivers for different
program languages:
C
C++
Java
Javascript
.NET (C# F#, PowerShell,
etc)
Node.js
Perl
PHP
Python
Ruby
Scala

4. Who use mongoDB
List of some big companies that use mongoDB:
1. SAP
2. SourceForge (hosting for open source projects)
3. The New York Times
4. GitHub (social coding project)
5. Foursquare
6. Yandex

5. WTF is RESTful?
A RESTful web service (also called a RESTful web
API) is a web service implemented using HTTP and
the principles of REST. It is a collection of
resources, with four defined aspects

6. How I can discover it?
Default port is «28017».
If server was started without “—rest”, you can see this:

7. How I can discover it?

8. What kind of vulns are there?
 Execution of arbitrary code server JS
 Stored XSS in mongoDB log
 Stored XSS in queries journal
 Cross Site Request Forgery
Our SSJS code

9. Attack
1) Send “<script>” with our javascript code
Site with
mongoDB
driver support
Hacker
Admin’s browser
Hacker’s
Server
MongoDB
--REST

10. Attack
1) Send “<script>” with our javascript code
Site with
mongoDB
driver support
Hacker
Admin’s browser
2) Inject our script in
REST interface
Hacker’s
Server
MongoDB
--REST

11. Attack
1) Send “<script>” with our javascript code
Site with
mongoDB
driver support
Hacker
Admin’s browser
2) Inject our script in
REST interface
Hacker’s
Server 3) Exec our js-code in
MongoDB admin’s browser
--REST

12. Attack
1) Send “<script>” with our javascript code
Site with
mongoDB
driver support
Hacker
4) Send SSJS
command to Admin’s browser
our script
2) Inject our script in
REST interface
Hacker’s
Server 3) Exec our js-code in
MongoDB admin’s browser
--REST

13. Attack
1) Send “<script>” with our javascript code
Site with
mongoDB
driver support
Hacker
4) Send SSJS
command to Admin’s browser
our script
2) Inject our script in
REST interface
5) Wait until admin’s browser check
our server for the new commands
(via JSONP)
Hacker’s
Server 3) Exec our js-code in
MongoDB admin’s browser
--REST

14. Attack
1) Send “<script>” with our javascript code
Site with
mongoDB
driver support
Hacker
4) Send SSJS
command to Admin’s browser
our script
2) Inject our script in
REST interface 6) Our command gets executed
5) Wait until admin’s browser check
our server for the new commands
(via JSONP)
Hacker’s
Server 3) Exec our js-code in
MongoDB admin’s browser
--REST

15. Attack
1) Send “<script>” with our javascript code
Site with
mongoDB
driver support
Hacker
4) Send SSJS
command to Admin’s browser
our script 7) Send answer to our sniffer
2) Inject our script in
REST interface 6) Our command gets executed
5) Wait until admin’s browser check
our server for the new commands
(via JSONP)
Hacker’s
Server 3) Exec our js-code in
MongoDB admin’s browser
--REST

16. Attack
1) Send “<script>” with our javascript code
Site with
mongoDB
driver support
Hacker
4) Send SSJS
command to 8) Print result Admin’s browser
our script of executed 7) Send answer to our sniffer
command
2) Inject our script in
REST interface 6) Our command gets executed
5) Wait until admin’s browser check
our server for the new commands
(via JSONP)
Hacker’s
Server 3) Exec our js-code in
MongoDB admin’s browser
--REST

17. Video

18. Where we can find it?

19. Stable CRASH
There are a lot of concepts of DoS attacks:

20. Interesting features
 Ls, cat and other admin functions work only with mongoDb console client.
 NativeHelper function helps you with system commands:
 You can get data in text/plain by reading db-files of mongoDB with any text editor.

21. Network interaction
Adding user:
Decrypted salt:
Source Code:

22. Network interaction
Captured packets:
All your data are belong to us:

23. Network interaction
Algorithm for sniff and brute force password :
Sniff some packets Read string
with mongoDB data from
dictionary
key2 = md5(nonce + user +
md5(user + ":mongo:" + passw)),
where “passw” is string from dict
Get key, nonce, login
from this packet
Look for auth key == key2 print user:passwd
packet
false
true
found
Exit
Not found

24. Сетевое взаимодействие

25. Network interaction. MiTM attack
1. Authorization
query
mongoDB
admin
Hacker

26. Network interaction. MiTM attack
1. Authorization
query
mongoDB
admin 2. Return special nonce
using which rainbow
tables were generated
Hacker

27. Network interaction. MiTM attack
1. Authorization
query
mongoDB
admin 2. Return special nonce
using which rainbow
tables were generated
Hacker
3. Client sends to us
“key” and “login”

28. Network interaction. MiTM attack
4. Brute Force
1. Authorization
password using
query
pre-generated mongoDB
rainbow tables for
this nonce
admin 2. Return special nonce
using which rainbow
tables were generated
Hacker
3. Client sends to us
“key” and “login”

29. Network interaction. MiTM attack
4. Brute Force
1. Authorization
password using
query
pre-generated mongoDB
rainbow tables for
this nonce
admin 2. Return special nonce
using which rainbow
tables were generated
5. Successfully login
Hacker
3. Client sends to us
“key” and “login”

30. WTF is BSON?
What is it? Data types:
BSON is a computer data string
interchange format used mainly as int
a data storage and network double
transfer format in the MongoDB DateTime
database. The name "BSON" is byte[]
based on the term JSON and bool
stands for "Binary JSON". null
BsonObject
BsonObject[]
Example?

31. Overwriting variables
Some table with 2 documents:
Our query to database:
Injecting BSON document, and overwriting “isadmin” value:
Testing:

32. Reading memory
Exploit:
Length
In action:

33. Reading memory
In action:

34. Features of some programming languages
Ruby on Rails
nodejs
PHP

35. Features of some programming languages
Ruby on Rails

36. Features of some programming languages
Mass assignment in Ruby on Rails:

37. Features of some programming languages
Mass assignment in Ruby on Rails:

38. Features of some programming languages
NodeJS

39. Features of some programming languages
JSON injection в NodeJS + MongoDB:
SEND
SEND
VULNERABLE SOURCE CODE:
VULNERABLE SOURCE CODE:
RESULT QUERY:
RESULT QUERY:
Хакер 02/12 (157)

40. Features of some programming languages
PHP

41. Features of some programming languages
Types of vulnerabilities:
Bypass authorization via Array in php driver.
Injecting SSJS code.
Blind SSJS injecting, Time-based

42. Features of some programming languages
As you know, php processes data from GPC as Array:
password[$ne]=parol1
There is find() function in the official driver for php:

43. Features of some programming languages
And we got this query to mongoDB collection:
With these techniques you can bypass authorization:

44. Features of some programming languages
Injecting in SSJS.
For example, we have this vulnerable code:
$q = “function() { var loginn = ‘$login’; var passs = ‘$pass’; db.members.insert({id : 2,
login : loginn, pass : passs}); }”;
$db->execute($q);
/
We can see our login, id and pass in answer
Trying to inject in SSJS query:
As you can see, we rewrite “login” value by db.version() value

45. Features of some programming languages
Sometimes we can’t see answer from our SSJS code.
For this situations we can use Time-Based technique:
A special script was written for this task.

46. NoSQL-injection Cheat Sheet
 db.getName() – Get current DB name
 db.members.count() – Get number of documents in the collection
 db.members.validate({ full : true}) – Get ALL information about this
collection
 db.members.stats() – Get information about this collection
 db.members.remove() – remove all documents from current collection
 db.members.find().skip(0).limit(1) – Get documents from DB (Change only
number in skip() function)
 db.getMongo().getDBNames().toString() – Get the list of all DBs
 db.members.find()[0][‘pass’] – Get “pass” value from current collection

47. Thanks!
Firstov Mikhail
mfirstov@ptsecurity.ru