Header Ads

NoSQL Exploitation Framework – Tool of the Month

NoSQL Exploitation Framework

NoSQL Exploitation Framework – A Tool for Script kiddies to Learn NOSQL – SQLInjection

NoSQL, which stands for Not Only SQL, is a common term for nonrelational databases. Among popular NoSQL databases you will find the aforementioned MongoDB and CouchDB, along with Redis, Cassandra and more. NoSQL databases have become increasingly popular thanks to their benefits in particular use cases, especially in big data and real-time Web usages where performance, scalability and flexibility are key. NoSQL Exploitation Framework
NoSQL databases are vulnerable to injection attack. Here is an example of equivalent attack , where attacker manages to retrieve admin user’s record without knowing password:
The equivalent of above query for NoSQL MongoDB database is:
db.accounts.find({username: username, password: password});
While here we are no longer dealing with query language, an attacker can still achieve the same results as SQL injection by supplying JSON input object as below:
{
    "username": "admin",
    "password": {$gt: ""}
}
In MongoDB, $gtselects those documents where the value of the field is greater than (i.e. >) the specified value. Thus above statement compares password in database with empty string for greatness, which returns true.
The same results can be achieved using other comparison operator such as $ne.
NoSQL Exploitation Framework – This framework in python for scanning and exploitation of vulnerabilities in databases NoSQL, That allows users to take down the DB of Victims.
Author: Francis Alexander 9630
The URL: https://github.com/torque59/nosql-exploitation-framework 
System:Linux and Windows
Recently added to the innovation project:
  • Support Mongo, Couch, Redis, H-Base, Cassandra;
  • support NoSQL WebApps;
  • List payload for JS-injection, transfer of web applications;
  • opportunity skanirovaniya Mongo, Couch and Redis;
  • the possibility of dictionary attacks on Mongo, Couch and Redis;
  • transferring module for database to obtain data;
  • detection of web-based interface for Mongo;
  • Shodan support request;
  • multi-threaded scanner IP-addresses from the list;
  • sniffing for Mongo, Couch and Redis.
This is a partial list of tool improvements: it is actively developing with the growth of the popularity of NoSQL, which already occurs in any more or less serious web project or portal. Therefore we advise you to look at the NoSQL Exploitation Framework.

How Do I Prevent It?

Here are some measures to prevent SQL / NoSQL injection attacks, or minimize impact if it happens:
  • Prepared Statements: For SQL calls, use prepared statements instead of building dynamic queries using string concatenation.
  • Input Validation: Validate inputs to detect malicious values. For NoSQL databases, also validate input types against expected types
  • Least Privilege: To minimize the potential damage of a successful injection attack, do not assign DBA or admin type access rights to your application accounts. Similarly minimize the privileges of the operating system account that the database process runs under.
 

No comments:

Powered by Blogger.