Python
  • Blog
  • Contact
    • Overview
    Issues 0

    NoSQLAttack is an open source Python tool to automate exploit MongoDB server IP on Internet and disclose the database data by MongoDB default configuration weaknesses and injection attacks.

    youngyangyang04 youngyangyang04 Last update: Mar 18, 2024

    中文说明

    NoSQLAttack

    Introduction

    NoSQLAttack is an open source Python tool to automate expose MongoDB server IP on the internet and disclose the database data by MongoDB default configuration weaknesses and injection attacks. Presently, this project focuses on MongoDB.

    Some attack tests are based on and extensions of follow papers

    There are two systems for testing NoSQL injection in this project-NoSQLInjectionAttackDemo.

    Background

    NoSQL injection attacks, for example php array injection, javascript injection and mongo shell injection, endanger mongoDB. There are thousands of mongoDB are exposed on the internet, and hacker can download data from exposed mongoDB.

    Requirements

    On a Debian or Red Hat based system, NoSQLAttack's dependencies already be writen in setup.py. This project is built on Pycharm COMMUNITY 2016.1 with python 2.7.10.

    Varies based on features used:

    • Shodan-1.5.3
    • httplib2-0.9
    • Python-2.7
    • pymongo-2.7.2
    • requests-2.5.0
    • ipcalc-1.1.3
    • MongoDB

    Building

    On Linux, it goes something like this:

    cd NoSQLAttack
python setup.py install

    Tips

    • If after entering "python setup.py install", terminal show error information "No module named setuptools", just install setuptools. On Ubuntu, "sudo apt-get install python-setuptools", this command is useful
    • Install MongoDB for MongoDB default configuration attack.

    Usage

    After building, you can run NoSQLAttack like this:

    NoSQLAttack

    Upon starting NoSQLAttack you are presented with the main menu:

    ================================================
        _   _       _____  _____ _                      
       | \ | |     /  ___||  _  | |                     
       |  \| | ___ \ `--. | | | | |                   
       | . ` |/ _ \ `--. \| | | | |                    
       | |\  | (_) /\__/ /\ \/' / |____          
       \_| \_/\___/\____/  \_/\_\_____/                  
                                        _          
    /\      _      _                   | |  _        
   /  \   _| |_  _| |    _____    ___  | | / /       
  / /\ \ |_   _||_   _| / __  \  / __| | |/ /        
 / /--\ \  | |_   | |_  | |_| | | |__  | |\ \       
/ / -- \ \ \___\  \___\ \______\ \___| | | \_\      
================================================    
NoSQLAttack-v0.2
[email protected]


1-Scan attacked IP
2-Configurate parameters
3-MongoDB Access Attacks
4-Injection Attacks
x-Exit

    videos

    NoSQLAttack Demo for MongoDB.

    (1)default configuration Attacks demo (2)injection attacks demo

    NoSQLAttack MongoDB default configuration Attacks demo NoSQLAttack MongoDB default configuration Attacks demo

    Tags:

    Owner

    youngyangyang04

    youngyangyang04
    GitHub Repository https://github.com/youngyangyang04
    🤖 Template for telegram bot using postgres, pgbouncer, redis, docker, amplitude, prometheus, grafana, CI

    start services make migrations start the necessary services (at least the database and redis) start telegram bot start admin panel make migrations to launch the bot you only need a token bot, datab…

    donBarbos
    147 Apr 25, 2024
    Data science and Machine Learning GUI programs/ desktop apps with PySimpleGUI package

    You will also need, etc. to run the demo codes. Here is the code to program this app, Although this is a very simple code, it features, We can essentially follow the same path and add more layers of …

    tirthajyoti
    165 Apr 24, 2024
    ML-capsule is a Project for beginners and experienced data science Enthusiasts who don't have a mentor or guidance and wish to learn Machine learning. Using our repo they can learn ML, DL, and many related technologies with different real-world projects and become Interview ready.

    Extraction is a general term for methods of constructing combinations of the variables to get around these problems while still describing the data with sufficient accuracy Data visualization is the …

    Niketkumardheeryan
    229 Mar 31, 2024
    The easiest way to use Machine Learning. Mix and match underlying ML libraries and data set sources. Generate new datasets or modify existing ones with ease.

    As we all know the Machine Learning space has a lot of tools and libraries for creating pipelines to train, test & deploy models, and dealing with these many different APIs can be cumbersome. Our…

    intel
    240 Apr 02, 2024
    Text analytics for LLM apps. PostHog for prompts. Extract evaluations, intents and events from text messages. phospho leverages LLM (OpenAI, MistralAI, Ollama, etc.)

    Phospho is the text analytics platform for LLM apps. Detect issues and extract insights from text messages of your users or your app. Gather user feedback and measure success. Iterate on your app to …

    phospho-app
    244 Apr 25, 2024
    a flask profiler which watches endpoint calls and tries to make some analysis.

    It gives answers to these questions: In short, if you are curious about what your endpoints are doing and what requests they are receiving, give a try to flask-profiler. With flask-profiler's web int…

    muatik
    747 Apr 12, 2024
    Analytics services for Django projects

    Using an analytics service with a Django project means adding Javascript tracking code to the project templates. Of course, every service has its own specific installation instructions. Furthermore, …

    jazzband
    1.18K Apr 24, 2024
    A flexible, easy to use, automation framework allowing users to integrate their capabilities and devices to cut through the repetitive, tedious tasks slowing them down. #nsacyber

    This documentation is intended as a reference for app and workflow developers as well as project contributors and operators. Here you will find walkthroughs, tutorials and other useful information ab…

    nsacyber
    1.19K Apr 24, 2024
    Apache Superset is a Data Visualization and Data Exploration Platform

    A modern, enterprise-ready business intelligence web application. Superset is a modern data exploration and data visualization platform. Superset can replace or augment proprietary business intellige…

    apache
    58.8K Apr 25, 2024
    Beginner-friendly collection of Python notebooks for various use cases of machine learning, deep learning, and analytics. For each notebook there is a separate tutorial on the relataly.com blog.

    Collection of Python notebooks for various machine learning, deep learning and analytics use cases Welcome to the GitHub tutorial directory of the relataly.com blog on business use cases with python …

    flo7up
    140 Apr 11, 2024

    Subscribe to our newsletter