Accessing Unauthenticated MongoDB Database Using Shodan
Hello everyone today i am going to write on “how to access open mongoDB database using shodan query”. I found that there are very less resources to guide beginners into getting started and understanding how infrastructure works. The present resources just give a gist about the topic and are not sufficient and up to date. So without wasting anytime let’s get started.
~Firstly it is important to clear some basics before proceeding further and behaving like a script kiddie. In short MongoDB is a cross platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with schema. MongoDB is developed by MongoDB Inc. and licensed under the Server Side Public License (SSPL). https://www.mongodb.com/what-is-mongodb
~Why should we use MongoDB? Of course, your choice of database is always a decision based on pros and cons.
Pros
- Document oriented.
- High performance.
- High availability — Replication.
- High scalability — Sharding.
- Dynamic — No rigid schema.
- Flexible — field addition/deletion have less or no impact on the application.
- Heterogeneous Data.
- No Joins.
- Distributed.
- Data Representation in JSON or BSON.
- Geospatial support.
- Easy Integration with BigData Hadoop.
- Document-based query language that’s nearly as powerful as SQL.
- Cloud distributions such as AWS, Microsoft, RedHat,dotCloud and SoftLayer etc:-. In fact, MongoDB is built for the cloud. Its native scale-out architecture, enabled by ‘sharding,’ aligns well with the horizontal scaling and agility afforded by cloud computing.
Cons
- A downside of NoSQL is that most solutions are not as strongly ACID-compliant (Atomic, Consistency, Isolation, Durability) as the more well-established RDBMS systems.
- Complex transaction.
- No function or stored procedure exists where you can bind the logic.
~List of default ports for MongoDB database (we would be working with them so it’s important to know them):
- 27017
- 27018
- 27019
Now we can begin our open database hunting work using shodan queries. Open https://www.shodan.io/ on your web browser.
Go to search bar located at the top left corner of the page and search this query: "MongoDB Server Information" port:27017 -authentication
After typing the above shodan query you will be greeted with a page showing database IP address, banner, size of database, database inside a database,etc as shown in the above picture. Now it is important to understand what the above typed shodan query does? “MongoDB Server Information” port:27017 -authentication will retrieve MongoDB servers (also known as database)from shodan database running on port number 27017. Scroll around the results and search for other databases. Remember: shodan displays first 2 pages for basic account users.
~Now moving on to other search query a deadly one. Use shodan query: "Set-Cookie: mongo-express=" "200 OK"
and you will be greeted with such results as seen below.
Now let us understand what this shodan search query did? “Set-Cookie: mongo-express=” “200 OK’ retrieves MongoDB express database from shodan that outputs 200 HTTP code that is ‘OK’ code (request successful). Hence it gives open database in search results output. Going a bit off-topic to have a look here for better understanding of HTTP codes: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#2xx_Success
~Few resources that tells why this hack is so dangerous →
~CLI tool for doing similar task:
https://www.kitploit.com/2019/01/leaklooker-find-open-databases-with.html
