[NOSQLMap] NoSQLMap-Automated NoSQL Database pwnage
NoSQLMap
is an open source Python tool designed to audit for as well as automate
injection attacks and exploit default configuration weaknesses in NoSQL
databases, as well as web applications using NoSQL in order to disclose
data from the database. It is named as a tribute to Bernardo Damele
and Miroslav's Stampar's popular SQL injection tool SQLmap, and its
concepts are based on and extensions of Ming Chow's excellent
presentation at Defcon 21, "Abusing NoSQL Databases". Presently the
tool's exploits are focused around MongoDB, but additional support for
other NoSQL based platforms such as CouchDB, Redis, and Cassandra are
planned in future releases; right now the goal is to provide a proof of
concept tool to debunk the premise that NoSQL is impervious to SQL
injection attacks.
Features
- Automated MongoDB database enumeration and cloning attacks.
- PHP application parameter injection attacks against MongoClient to return all database records.
- Javascript function variable escaping and arbitrary code injection to return all database records.
- Timing based attacks similar to blind SQL injection to validate Javascript injection vulnerabilities with no feedback from the application.
- More coming soon!
[NOSQLMap] NoSQLMap-Automated NoSQL Database pwnage
![[NOSQLMap] NoSQLMap-Automated NoSQL Database pwnage]()
Reviewed by Zion3R
on
1:53 PM
Rating:
