Nosqlmap

NoSQLMap: A Comprehensive Guide to NoSQL Database Exploitation

Authored and Researched by Beyonddennis

In the ever-evolving landscape of data management, NoSQL databases have emerged as a powerful alternative to traditional relational databases, offering flexibility, scalability, and performance for modern applications, especially those dealing with big data and real-time operations. Databases like MongoDB, CouchDB, Redis, and Cassandra have become commonplace. However, this rise in popularity has also brought a critical need to scrutinize their security posture. Just as SQL databases face the threat of SQL injection, NoSQL databases are susceptible to their own unique set of vulnerabilities, primarily NoSQL injection and misconfigurations. This is precisely where a formidable tool like NoSQLMap becomes indispensable.

NoSQLMap is an open-source Python tool specifically engineered to audit, automate injection attacks, and exploit default configuration weaknesses found in NoSQL databases and the web applications that utilize them. It is widely considered the "NoSQL variant of SQLMap," a testament to its comprehensive capabilities in the realm of NoSQL security. The primary objective of NoSQLMap is to facilitate the disclosure or cloning of data from vulnerable NoSQL databases, making it an essential asset for security professionals, penetration testers, and ethical hackers seeking to identify and remediate security flaws.

Understanding NoSQL Databases and Injection

NoSQL, often interpreted as "Not only SQL" or "non-relational," refers to database architectures that store and retrieve data in models other than the tabular relations of relational databases. These can include document-oriented, key-value, graph, and column-family stores, each offering distinct advantages for different use cases. While NoSQL databases boast benefits like enhanced scalability and performance, their distinct query languages and lack of rigid schemas can introduce new security challenges.

NoSQL injection, similar in principle to SQL injection, occurs when an attacker can manipulate input parameters to inject malicious code or commands into the queries sent to a NoSQL database. Unlike SQL, which has a standardized language, NoSQL databases often have their own unique query syntaxes (e.g., JavaScript for MongoDB, JSON for CouchDB). This diversity means that NoSQL injection vulnerabilities require a different approach to detection and exploitation. Without proper input validation and sanitization, an attacker can bypass authentication, read or modify sensitive data, execute arbitrary code, or even gain full control over the database. Historical data breaches involving unsecured MongoDB and other NoSQL databases underscore the critical importance of NoSQL security.

Key Features of NoSQLMap

NoSQLMap is packed with a comprehensive set of features designed to facilitate the auditing and exploitation of NoSQL databases. These capabilities make it a versatile tool for various security assessment scenarios.

• Automated Database Enumeration and Cloning: The tool can automatically discover and map the structure of MongoDB and CouchDB databases, including database names, collections (tables), and user accounts. It also has the ability to clone entire databases.
• Injection Attacks: NoSQLMap supports various NoSQL injection techniques, including boolean-based, error-based, and time-based attacks, to validate vulnerabilities even when direct feedback from the application is limited. It can exploit PHP application parameter injection attacks against MongoClient to return all database records.
• Credential Extraction and Cracking: It can extract database names, users, and password hashes from MongoDB web applications, offering capabilities for dictionary and brute-force password cracking against recovered MongoDB and CouchDB hashes.
• Network Scanning: NoSQLMap can scan subnets or IP lists to identify open MongoDB or CouchDB servers, particularly those with default or anonymous access, and enumerate their versions.
• Code Injection: The tool supports JavaScript function variable escaping and arbitrary code injection to retrieve all database records.
• Metasploit Integration: For older MongoDB versions (2.2.3 or earlier), NoSQLMap includes support for Metasploit exploits, enabling remote code execution in specific scenarios.
• Custom Payloads: While it comes with predefined payloads, users can also create and utilize custom payloads for more targeted attacks using the --eval option.
• Reporting: NoSQLMap generates reports detailing discovered vulnerabilities, including the type of injection, affected parameters, and the payloads used for exploitation.
• Interactive CLI: The tool offers an easy-to-use command-line interface for running checks and setting various options.

Currently, NoSQLMap primarily focuses on MongoDB and CouchDB. However, future releases have planned support for other NoSQL platforms such as Redis and Cassandra.

Installation Guide

Installing NoSQLMap is a straightforward process, primarily involving cloning its GitHub repository and running a setup script. As with many penetration testing tools, it is recommended to run NoSQLMap in a controlled environment, such as a virtual machine with Kali Linux, which often comes with many necessary dependencies pre-installed.

Prerequisites:

• Python (with PyMongo, httplib2, and urllib modules).
• Metasploit Framework (optional, for specific exploits).
• A local, default MongoDB instance (optional, for cloning databases).

Installation Steps:

1. Clone the Repository: Open your terminal and use the git clone command to download the NoSQLMap repository from GitHub.

   git clone https://github.com/codingo/NoSQLMap.git

2. Navigate to the Directory: Change your current directory to the newly cloned NoSQLMap folder.

   cd NoSQLMap

3. Run Setup Script: For Debian or Red Hat-based systems, you can run the provided setup.sh script as root to automate the installation of dependencies.

   sudo bash setup.sh

   Alternatively, if the setup script encounters issues or you prefer manual installation, ensure you have Python and the required libraries (PyMongo, httplib2, urllib) installed.

4. Verify Installation: You can launch the tool to verify a successful installation.

   python nosqlmap.py

   This should launch the NoSQLMap interactive command-line interface.

For those using Docker, NoSQLMap can also be built as a Docker image for a containerized environment.

Practical Usage and Commands

NoSQLMap operates primarily through its interactive command-line interface, providing a structured way to select targets, choose attack methods, and configure various options.

Basic Workflow:

1. Launch NoSQLMap:

   python nosqlmap.py

   This will open the main menu of the tool.

2. Set Target Options: From the main menu, you'll typically start by setting options for your target. This includes the target host or IP, web application port, and path.

   1

   (Select option 1 for setting target options)

   set targetHost 127.0.0.1

   set webPort 80

   set uri /login

   set httpMethod POST

   set postData email,test@test.test,password,qwerty

   set injectedParameter 1

   (These are examples for a login form scenario)

3. View Options: To check the options you've set, use the show options command.

   show options

4. Select Attack Type: Once target options are configured, you can return to the main menu and select the type of attack you wish to perform. Common attack types include:

   • Get Server Version and Platform
   • Enumerate Databases/Collections/Users
   • Check for GridFS
   • Clone a Database
   • Launch Metasploit exploit for MongoDB

   2

   (Select option 2 to list access attacks)

   1

   (For example, to get server version and platform)

5. Execute Attack: After selecting your options and attack type, you can initiate the attack.

   run

Direct Command-Line Execution:

You can also execute NoSQLMap directly from the command line with arguments for specific tasks without entering the interactive shell.

python nosqlmap.py -u <target_url>

To specify the database type and port, for instance, a MongoDB database on port 27017:

python nosqlmap.py -u <target_url> -d mongodb -p 27017

For a boolean-based injection technique:

python nosqlmap.py -u <target_url> -t boolean-based

To save the output results to a file:

python nosqlmap.py -u <target_url> -o <output_file>

NoSQLMap will display the results in the terminal, providing details about successful injections, vulnerable parameters, and retrieved data.

Ethical Considerations and Responsible Use

As with any powerful penetration testing tool, NoSQLMap should be used responsibly and ethically. Knowledge is power, and this power comes with significant responsibility. This tool is designed for security professionals, researchers, and developers to assess and improve the security posture of systems.

• Legal Authorization: Always ensure you have explicit written permission from the owner of any system or network before conducting tests with NoSQLMap. Unauthorized access or testing is illegal and can lead to severe penalties.
• Controlled Environments: It is highly recommended to use NoSQLMap in controlled lab environments or on systems specifically designated for security testing. This prevents accidental damage or disruption to production systems. The NoSQLMap repository even includes an intentionally vulnerable web application for testing purposes.
• Data Privacy: When dealing with real-world data, adhere strictly to data privacy regulations and ethical guidelines. Avoid exposing or compromising sensitive information during testing.
• Mitigation: The ultimate goal of using NoSQLMap is to identify vulnerabilities so they can be fixed. After identifying issues, prioritize and implement appropriate security controls, such as robust input validation, least privilege access, and secure configuration practices.

Conclusion

NoSQLMap represents a critical tool in the arsenal of cybersecurity professionals tasked with securing NoSQL databases. It automates complex injection attacks and aids in identifying configuration weaknesses, significantly increasing efficiency in vulnerability assessments. Its capabilities in enumerating, cloning, and extracting data from NoSQL databases, particularly MongoDB and CouchDB, highlight the importance of diligent security practices for these increasingly prevalent data storage solutions. By leveraging NoSQLMap responsibly, organizations and security researchers, like Beyonddennis, can proactively identify and mitigate risks, thereby safeguarding sensitive data and strengthening the overall security of web applications that rely on NoSQL technologies. The ongoing development and community support for NoSQLMap ensure its continued relevance in the dynamic landscape of database security.