You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+11-3Lines changed: 11 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,14 +6,20 @@ NoSQLMap
6
6
Introduction
7
7
============
8
8
9
-
NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database. It is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular SQL injection tool SQLmap, and its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, "Abusing NoSQL Databases". Presently the tool's exploits are focused around MongoDB, but additional support for other NoSQL based platforms such as CouchDB, Redis, and Cassandra are planned in future releases.
9
+
NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database.
10
+
11
+
It is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular SQL injection tool [http://sqlmap.org](sqlmap), and its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, "Abusing NoSQL Databases". Presently the tool's exploits are focused around MongoDB, but additional support for other NoSQL based platforms such as CouchDB, Redis, and Cassandra are planned in future releases.
10
12
11
13
Requirements
12
14
============
13
15
14
16
Varies based on features used:
15
-
-Python with PyMongo, httplib2, and urllib available; There are some various other libraries required that a normal Python installation should have readily available. Your milage may vary, check the script.
16
-
-Metasploit Framework
17
+
- Metasploit Framework,
18
+
- Python with PyMongo,
19
+
- httplib2,
20
+
- and urllib available.
21
+
22
+
There are some various other libraries required that a normal Python installation should have readily available. Your milage may vary, check the script.
17
23
18
24
Usage:
19
25
@@ -40,12 +46,14 @@ python nosqlmap.py.
40
46
**ALWAYS USE OPTION 1 FIRST TO SET THE PARAMETERS!**
41
47
42
48
Explanation of options:
49
+
```
43
50
1. Set target host/IP-The target web server (i.e. www.google.com) or MongoDB server you want to attack.
44
51
2. Set web app port-TCP port for the web application if a web application is the target.
45
52
3. Set URI Path-The portion of the URI containing the page name and any parameters but NOT the host name (e.g. acct.php?acctid=102).
46
53
4. Set HTTP Request Method (GET/POST)-Set the request method to a GET or POST; Presently only GET is implemented but working on implementing POST requests exported from Burp.
47
54
5. Set my local Mongo/Shell IP-Set this option if attacking a MongoDB instance directly to the IP of a target Mongo installation to clone victim databases to or open Meterpreter shells to.
48
55
6. Set shell listener port-If opening Meterpreter shells, specify the port.
49
56
7. Back to main menu.
57
+
```
50
58
51
59
Once options are set head back to the main menu and select DB access attacks or web app attacks as appropriate. Send emails to [email protected] or find me on Twitter [https://twitter.com/tcstoolHax0r](@tcstoolHax0r) if you have any questions or suggestions.
0 commit comments