NoSQL database enumeration and exploitation with NoSQLMap
Like sqlmap, but for non-relational databases!
NoSQLMap is a tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database.
Currently the tool’s exploits are focused around MongoDB and CouchDB but additional support for other NoSQL based platforms such as Redis and Cassandra are planned in future releases.
Its concepts are based on and extensions of Ming Chow’s presentation at Defcon 21, “Abusing NoSQL Databases”:
Simply call the setup.py script:
python setup.py install
If run with root privileges, setup.py tries (on Debian and RedHat based systems) to automate the installation of this dependencies:
- Metasploit Framework,
- Python with PyMongo
- A local, default MongoDB instance
How it works?
Here short demo video of NoSQLMap being used to exploit the default security model on a MongoDB server: