Your SlideShare is downloading. ×
0
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Mongo db eng
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Mongo db eng

4,872

Published on

My presentation about mongoDB vulns from ZeroNights'12. English Version. …

My presentation about mongoDB vulns from ZeroNights'12. English Version.

My E-mail: mfirstov@ptsecurity.ru
Programs: https://github.com/cyberpunkych/attacking_mongodb

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • very useful presenation ... thank you
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
4,872
On Slideshare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
69
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Attacking MongoDB Firstov Mihail
  • 2. What is it? MongoDB — is an open source document-oriented database system. Features : 1. Ad hoc queries. 2. Indexing 3. Replication 4. Load balancing 5. File storage 6. Aggregation 7. Server-side JavaScript execution 8. Capped collections
  • 3. Inside mongo source code./mongod — Server in C++ ./mongo – official client in C++ and JS There are a lot of drivers for different program languages: C C++ Java Javascript .NET (C# F#, PowerShell, etc) Node.js Perl PHP Python Ruby Scala
  • 4. Who use mongoDB List of some big companies that use mongoDB: 1. SAP 2. SourceForge (hosting for open source projects) 3. The New York Times 4. GitHub (social coding project) 5. Foursquare 6. Yandex
  • 5. WTF is RESTful? A RESTful web service (also called a RESTful web API) is a web service implemented using HTTP and the principles of REST. It is a collection of resources, with four defined aspects
  • 6. How I can discover it?Default port is «28017».If server was started without “—rest”, you can see this:
  • 7. How I can discover it?
  • 8. What kind of vulns are there? Execution of arbitrary code server JS Stored XSS in mongoDB log Stored XSS in queries journal Cross Site Request Forgery Our SSJS code
  • 9. Attack 1) Send “<script>” with our javascript code Site with mongoDB driver support Hacker Admin’s browser Hacker’s Server MongoDB --REST
  • 10. Attack 1) Send “<script>” with our javascript code Site with mongoDB driver support Hacker Admin’s browser 2) Inject our script in REST interface Hacker’s Server MongoDB --REST
  • 11. Attack 1) Send “<script>” with our javascript code Site with mongoDB driver support Hacker Admin’s browser 2) Inject our script in REST interface Hacker’s Server 3) Exec our js-code in MongoDB admin’s browser --REST
  • 12. Attack 1) Send “<script>” with our javascript code Site with mongoDB driver support Hacker4) Send SSJScommand to Admin’s browserour script 2) Inject our script in REST interface Hacker’s Server 3) Exec our js-code in MongoDB admin’s browser --REST
  • 13. Attack 1) Send “<script>” with our javascript code Site with mongoDB driver support Hacker4) Send SSJScommand to Admin’s browserour script 2) Inject our script in REST interface 5) Wait until admin’s browser check our server for the new commands (via JSONP) Hacker’s Server 3) Exec our js-code in MongoDB admin’s browser --REST
  • 14. Attack 1) Send “<script>” with our javascript code Site with mongoDB driver support Hacker4) Send SSJScommand to Admin’s browserour script 2) Inject our script in REST interface 6) Our command gets executed 5) Wait until admin’s browser check our server for the new commands (via JSONP) Hacker’s Server 3) Exec our js-code in MongoDB admin’s browser --REST
  • 15. Attack 1) Send “<script>” with our javascript code Site with mongoDB driver support Hacker4) Send SSJScommand to Admin’s browserour script 7) Send answer to our sniffer 2) Inject our script in REST interface 6) Our command gets executed 5) Wait until admin’s browser check our server for the new commands (via JSONP) Hacker’s Server 3) Exec our js-code in MongoDB admin’s browser --REST
  • 16. Attack 1) Send “<script>” with our javascript code Site with mongoDB driver support Hacker4) Send SSJScommand to 8) Print result Admin’s browserour script of executed 7) Send answer to our sniffer command 2) Inject our script in REST interface 6) Our command gets executed 5) Wait until admin’s browser check our server for the new commands (via JSONP) Hacker’s Server 3) Exec our js-code in MongoDB admin’s browser --REST
  • 17. Video
  • 18. Where we can find it?
  • 19. Stable CRASHThere are a lot of concepts of DoS attacks:
  • 20. Interesting features  Ls, cat and other admin functions work only with mongoDb console client.  NativeHelper function helps you with system commands:  You can get data in text/plain by reading db-files of mongoDB with any text editor.
  • 21. Network interactionAdding user: Decrypted salt:Source Code:
  • 22. Network interactionCaptured packets:All your data are belong to us:
  • 23. Network interactionAlgorithm for sniff and brute force password : Sniff some packets Read string with mongoDB data from dictionary key2 = md5(nonce + user + md5(user + ":mongo:" + passw)), where “passw” is string from dict Get key, nonce, login from this packet Look for auth key == key2 print user:passwd packet false true found Exit Not found
  • 24. Сетевое взаимодействие
  • 25. Network interaction. MiTM attack 1. Authorization query mongoDB admin Hacker
  • 26. Network interaction. MiTM attack 1. Authorization query mongoDB admin 2. Return special nonce using which rainbow tables were generated Hacker
  • 27. Network interaction. MiTM attack 1. Authorization query mongoDB admin 2. Return special nonce using which rainbow tables were generated Hacker 3. Client sends to us “key” and “login”
  • 28. Network interaction. MiTM attack 4. Brute Force 1. Authorization password using query pre-generated mongoDB rainbow tables for this nonce admin 2. Return special nonce using which rainbow tables were generated Hacker 3. Client sends to us “key” and “login”
  • 29. Network interaction. MiTM attack 4. Brute Force 1. Authorization password using query pre-generated mongoDB rainbow tables for this nonce admin 2. Return special nonce using which rainbow tables were generated 5. Successfully login Hacker 3. Client sends to us “key” and “login”
  • 30. WTF is BSON?What is it? Data types: BSON is a computer data string interchange format used mainly as int a data storage and network double transfer format in the MongoDB DateTime database. The name "BSON" is byte[] based on the term JSON and bool stands for "Binary JSON". null BsonObject BsonObject[] Example?
  • 31. Overwriting variablesSome table with 2 documents:Our query to database:Injecting BSON document, and overwriting “isadmin” value:Testing:
  • 32. Reading memoryExploit: LengthIn action:
  • 33. Reading memoryIn action:
  • 34. Features of some programming languages Ruby on Rails nodejs PHP
  • 35. Features of some programming languages Ruby on Rails
  • 36. Features of some programming languagesMass assignment in Ruby on Rails:
  • 37. Features of some programming languagesMass assignment in Ruby on Rails:
  • 38. Features of some programming languages NodeJS
  • 39. Features of some programming languagesJSON injection в NodeJS + MongoDB: SEND SEND VULNERABLE SOURCE CODE: VULNERABLE SOURCE CODE: RESULT QUERY: RESULT QUERY: Хакер 02/12 (157)
  • 40. Features of some programming languages PHP
  • 41. Features of some programming languages Types of vulnerabilities: Bypass authorization via Array in php driver. Injecting SSJS code. Blind SSJS injecting, Time-based
  • 42. Features of some programming languages As you know, php processes data from GPC as Array: password[$ne]=parol1 There is find() function in the official driver for php:
  • 43. Features of some programming languages And we got this query to mongoDB collection: With these techniques you can bypass authorization:
  • 44. Features of some programming languages Injecting in SSJS. For example, we have this vulnerable code: $q = “function() { var loginn = ‘$login’; var passs = ‘$pass’; db.members.insert({id : 2, login : loginn, pass : passs}); }”; $db->execute($q); / We can see our login, id and pass in answer Trying to inject in SSJS query: As you can see, we rewrite “login” value by db.version() value
  • 45. Features of some programming languages Sometimes we can’t see answer from our SSJS code. For this situations we can use Time-Based technique: A special script was written for this task.
  • 46. NoSQL-injection Cheat Sheet db.getName() – Get current DB name db.members.count() – Get number of documents in the collection db.members.validate({ full : true}) – Get ALL information about this collection db.members.stats() – Get information about this collection db.members.remove() – remove all documents from current collection db.members.find().skip(0).limit(1) – Get documents from DB (Change only number in skip() function) db.getMongo().getDBNames().toString() – Get the list of all DBs db.members.find()[0][‘pass’] – Get “pass” value from current collection
  • 47. Thanks! Firstov Mikhail mfirstov@ptsecurity.ru

×