记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

Mongodb未授权访问

2014-12-22 07:10

Mongodb默认不需要配置auth导致未授权访问问题令人堪忧。
前年的时候写了个Mongodb未授权扫描工具发现了一些企业Mongodb未授权访问问题(测试发现包括一些游戏厂商),但在数量上还不太严重。
近期Mongodb问题越演越烈,上周对10812个国内IP进行探测时候发现了接近4000个未授权访问IP。

1

 

漏洞验证方法:
利用mongo-java-driver-2.12.4.jar

MongoClient client = new MongoClient(host,port);

或:

private boolean loginTest(String host,int timeout){ 
    try { 
      byte[] b = new byte[]{0x3f,0x00,0x00,0x00,(byte) 0x97,0x75,(byte) 0xbc,0x60,(byte) 0xff,(byte) 0xff,(byte) 0xff,(byte) 0xff,(byte) 0xd4,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x61,0x64,0x6d,0x69,0x6e,0x2e,0x24,0x63,0x6d,0x64,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x10,0x6c,0x69,0x73,0x74,0x44,0x61,0x74,0x61,0x62,0x61,0x73,0x65,0x73,0x00,0x01,0x00,0x00,0x00,0x00}; 
      InetSocketAddress address = new InetSocketAddress(host,27017); 
      Socket socket = new Socket(); 
      socket.connect(address,timeout); 
      socket.setSoTimeout(timeout); 
      OutputStream out = socket.getOutputStream(); 
      out.write(b); 
      socket.shutdownOutput(); 
      BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream())); 
      String str = ""; 
      StringBuilder sb = new StringBuilder(); 
      while((str=br.readLine())!=null){ 
        sb.append(str); 
      } 
      return sb.toString().contains("local"); 
    } catch (Exception e) { 
      return false; 
    } 
  }

这里似乎有一份邪红色团队的“全球Mongodb未授权访问探测报告”同样说明了问题的严重性:
Mongodb unauthorized access vulnerability global probing report

[+] Author: f1,2,4 
[+] Team: FF0000 TEAM <http://www.ff0000.cc> 
[+] From: HackerSoul <http://www.hackersoul.com> 
[+] Create: 2014-12-10 
Introduction 
Domain list 
Proof of Concept 
Scan results 
IP location 
Evil hackers

 


知识来源: javaweb.org/?p=1637

阅读:387989 | 评论:0 | 标签:Documents

想收藏或者和大家分享这篇好文章→复制链接地址

“Mongodb未授权访问”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄⛄️

ADS

标签云