🤣
CybersecurityNote
  • Foreword
  • References.md
    • References
    • attackdefense
    • Domain Environment
    • HTB
    • Red Team Range
    • tryhackme
    • vulnhub
  • Security Certificates
    • CISSP
    • CRTO
      • Exam experience sharing
    • OSCP
      • Exam experience sharing
  • Security Testing
    • Lateral Movement
      • AS-REP Roasting Attack
      • Kerberoasting Attack
  • Security Vulnerability
    • application Vulnerability
    • Linux Privilege Escalation Vulnerability
    • Linux Vulnerability
    • unauthorized vulnerability
      • ActiveMQ Unauthorized Access Vulnerability
      • Apache Flink Unauthorized Access Vulnerability
      • Atlassian Crowd Unauthorized Access Vulnerability
      • CouchDB Unauthorized Access Vulnerability
      • Docker Unauthorized Access Vulnerability
      • Dubbo Unauthorized Access Vulnerability
      • Jenkins Unauthorized Access Vulnerability
      • Jupyter Notebook Unauthorized Access Vulnerability
      • MongoDB Unauthorized Access Vulnerability
      • RabbitMQ Unauthorized Access Vulnerability
      • Spring Cloud Gateway Server Unauthorized Access Vulnerability
      • SpringBoot Actuator Unauthorized Access Vulnerability
      • Unauthorized Access to Kubernetes API Server
      • Unauthorized Access Vulnerability in Clickhouse
      • Unauthorized Access Vulnerability in Druid Monitoring Page
      • Unauthorized Access Vulnerability in Hadoop YARN Resourcemanager
      • Unauthorized Access Vulnerability in Hadoop Yarn RPC
      • Unauthorized Access Vulnerability in InfluxDB API
      • Unauthorized Access Vulnerability in JBoss
      • Unauthorized Access Vulnerability in Kafka Manager
      • Unauthorized Access Vulnerability in Kibana
      • Unauthorized Access Vulnerability in Kong
      • Unauthorized Access Vulnerability in LDAP
      • Unauthorized Access Vulnerability in Memcached
      • Unauthorized Access Vulnerability in NFS
      • Unauthorized Access Vulnerability in Redis
      • Unauthorized Access Vulnerability in Rsync
      • Unauthorized Access Vulnerability in Spark
      • Unauthorized Access Vulnerability in VNC Server
      • Unauthorized Access Vulnerability in Weblogic
      • Unauthorized Access Vulnerability in ZooKeeper
      • Zabbix Unauthorized Access Vulnerability
    • Windows Privilege Escalation Vulnerability
    • Windows Vulnerability
Powered by GitBook
On this page
  • Vulnerability Description
  • Environment Setup
  • Vulnerability Reproduction
  • Execution with CLI
  • Execution with MSF
  • Repair Suggestions
  1. Security Vulnerability
  2. unauthorized vulnerability

MongoDB Unauthorized Access Vulnerability

Vulnerability Description

When starting the MongoDB service without adding any parameters, it defaults to having no authentication. The logged in user can perform any operation on the database (high risk operations such as adding, deleting, and modifying) without a password via the default port, and can also remotely access the database.

Environment Setup

Download the MongoDB image from Docker

docker run  -it  -p  27017:27017 mongo

Vulnerability Reproduction

Execution with CLI

┌──(root💀kali)-[~]
└─# mongo 192.168.32.131
MongoDB shell version v5.3.1
connecting to: mongodb://192.168.32.131:27017/test?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("c7ddf3c3-2fbc-4b5a-b9a4-91dfce9703a2") }
MongoDB server version: 5.0.8
WARNING: shell and server versions do not match

> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB

Execution with MSF

msf6 > use auxiliary/scanner/mongodb/mongodb_login
msf6 auxiliary(scanner/mongodb/mongodb_login) > set rhosts 192.168.32.131
rhosts => 192.168.32.131
msf6 auxiliary(scanner/mongodb/mongodb_login) > run

[*] 192.168.32.131:27017 - Scanning IP: 192.168.32.131
[+] 192.168.32.131:27017 - Mongo server 192.168.32.131 doesn't use authentication
[*] 192.168.32.131:27017 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Repair Suggestions

(1). Create a New Admin Account to Enable MongoDB Authorization Create a new terminal [parameters can be omitted by default, only add if there are custom parameters, similarly below] mongod --port 27017 --dbpath /data/db1

In another terminal, run the following commands:

  use admin

  db.createUser(
    {
      user: "adminUser",
      pwd: "adminPass",
      roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
    }
  )

The administrator has been created successfully and now has the administrator user adminUser with the password adminPass

(2). Local Access

bind 127.0.0.1

(3). Modify the Default Port Change the default MongoDB port (default: TCP 27017) to another port

(4). Disable the HTTP and REST Ports MongoDB has its own HTTP service and supports REST interfaces. These interfaces are turned off by default in version 2.6 and later. MongoDB defaults to listening for web services on the default port, and remote management through the web is generally not needed, so it is recommended to disable it. Modify the configuration file or choose the -nohttpinterface parameter when starting nohttpinterface = false

(5). Enable Log Audit Functionality The audit function can be used to record all related operations on the database by the user. These records can allow the system administrator to analyze what happened to the database at what time when necessary.

(6). Enable Auth Authentication

/etc/mongodb.conf  
auth = true
PreviousJupyter Notebook Unauthorized Access VulnerabilityNextRabbitMQ Unauthorized Access Vulnerability

Last updated 2 years ago

image-20220519143515018