Mongomap is a penetration-testing tool inspired by SQLMap, made specifically for MongoDB Injection on web applications.
Why make this when nosqlmap is a thing?
That other project seems to be centric on detecting the presence of noSQL injection, instead of actually exploiting the vulnerability. It also has a wide range of targets, including open DB ports. MongoMap, however, primarily aims to exploit MongoDB Injection to retrieve data from web applications.
Because I initially made it for a CTF challenge.
However, I am open to supporting more DB backends, and making my code more efficient, I'd just need some time to actually get down to doing it.
As of now, Mongomap as 2 dependencies: requests
colorama
You can use the package manager pip to install these libraries.
pip install requests
pip install coloramaAs an additional note, Mongomap is made with python3
This command will display MongoMap's various arguments and syntaxes
python3 mongomap.py ╔═╗╔═╗╔═══╗╔═╗─╔╗╔═══╗╔═══╗╔═╗╔═╗╔═══╗╔═══╗
║║╚╝║║║╔═╗║║║╚╗║║║╔═╗║║╔═╗║║║╚╝║║║╔═╗║║╔═╗║
║╔╗╔╗║║║─║║║╔╗╚╝║║║─╚╝║║─║║║╔╗╔╗║║║─║║║╚═╝║
║║║║║║║║─║║║║╚╗║║║║╔═╗║║─║║║║║║║║║╚═╝║║╔══╝
║║║║║║║╚═╝║║║─║║║║╚╩═║║╚═╝║║║║║║║║╔═╗║║║───
╚╝╚╝╚╝╚═══╝╚╝─╚═╝╚═══╝╚═══╝╚╝╚╝╚╝╚╝─╚╝╚╝───
By Hex_27
[*] Usage: mongomap -u [url] ...
-u Refers to the URL of the target. Includes port and get parameters if you are using get requests.
--method Set to either "post" or "get". By default, this will be set to "get"
--data If you are using post requests, use this option to specify post data
--file Same as --data, but you specify a file containing the parameters instead.
[*] --Flexibility--
--cookies Set cookies to send. Separate different cookies with &
--headers Specifies a header to send. Separate different headers with ;
--maxbrute Default value is 100. This is the maximum number of bruteforce attempts the program will try. Set to 0 for limitless.
--maxthreads Default value is 50. This is the maximum number of concurent threads the program will spawn.
--csrftoken Specify the csrftoken to be checked for. You must modify code for this option to work.
--ignorecheck Ignore a certain check. Set these when false positives are found. Can be set to the following.
text --- Ignore website content comparisons. Useful for combatting CSRF.
status --- Ignore status code comparison
url --- Ignore redirect URL comparison
--maxthreads Default value is 50. This is the maximum number of concurent threads the program will spawn.
-t Specify some technique IDs to use.
[*] --Post-Detection--
--dump Attempts to retrieve as much information as possible via detected injection methods. If no other post-detection options are used, dump will be used by default.
[*] --Help and Documentation--
-h --help Shows this help page. Use with -t to display documentation regarding the specified techniques
-ts --techniques Display all techniques.
[*] --Examples--
[*] mongomap -u http://challenger.com?sad=22
[*] mongomap -u http://localhost:2222?search=1 -t 324
[*] mongomap -u http://localhost:2222?search=1 -t w
[*] mongomap -u http://192.168.1.321 --method post --data "username=hi&password=letmein"
[*] mongomap -u https://target.com:1231?foo=1 --cookies "PHPSESSID=1242345234512345&ID=123"
[*] mongomap -u http://10.10.10.123 --method post --data search=1 --headers "Host: administrator1.friendzone.red; User-Agent: imlazytotypethis"
[*] mongomap -u http://152.104.10.55:20001/v1/account/login --method json --data {\"username\":\"admin\",\"password\":\"1\"}
[*] mongomap -u http://175.104.10.55:20001/v1/account/login --method json --data {\"username\":{\"$ne\":\"1\"},\"password\":\"1\"}
[*] mongomap -u http://112.104.10.55:20001/v1/account/login --method json --file params.txt
Because the tool is dumb and I can't think of a good way to implement an automatic solution for this.
If you have multiple parameters, technique 1 (Regex injection) for extracting plaintext data won't work properly automatically.
So, just give it a little help, and do things manually step by step. Let's say you have a username and a password, and you want to extract both usernames and passwords.
Step 1, get the usernames
mongomap -u http://noobsite.com/api/login --method json --data {\"username\":\"1\",\"password\":{\"$ne\":\"1\"}} -p usernameThis should force mongomap to dump out all usernames it can extract.
Step 2, find the password for each username.
mongomap -u http://noobsite.com/api/login --method json --data {\"username\":\"admin\",\"password\":\"1\"} -p passwordLet's say one of the dumped usernames from Step 1 is "admin". Set that as the username, then force the vulnerable parameter to be password.
Now, mongomap will attempt to dump the password of admin.
Yay. It works. Kinda.
You can check the full description of each technique I've written to perform MongoDB Injection with this command:
python3 mongomap.py -h -t awIt contains most of my documentation for those techniques. However, the basic payloads involved are: Parsing in PHP arrays (Instead of username=a, it sends username[$ne]=a, so poorly sanitised MongoDB backends will have a different request) Injecting WHERE requests by parsing javascript with single or double quote escapes. There's a payload for a simple where check, as well as injecting into Javascript functions.
The tool attempts to detect differences in page contents, or status code, in order to determine success in injection. However, the difference detection mechanism is still kind of skimpy and prone to false positives, and definitely can be polished more.
Additionally, as a new feature, mongomap will now work with json data types for technique 0 and 1, the not equals injection and the regex injection.
Pull requests are welcome, though I may take a while to respond. For major changes, please open an issue first to discuss what you would like to change. This is one of my first public python projects, and there definitely is a lot I can improve on with this code. Do leave some tips for me if you find that I've missed something.