Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MongoDB弱口令检测异常 #126

Open
andrewgogogo opened this issue Jan 5, 2023 · 8 comments
Open

MongoDB弱口令检测异常 #126

andrewgogogo opened this issue Jan 5, 2023 · 8 comments
Labels
bug Something isn't working

Comments

@andrewgogogo
Copy link

MongoDB弱口令检测异常,没有弱口令结果,查看返回的Response内容如下:

"Response": "HTTP/1.0 200 OK\r\nConnection: close\r\nContent-Type: text/plain\r\nContent-Length: 85\r\n\r\nIt looks like you are trying to access MongoDB over HTTP on the native driver port.\r\n",

很小几率Response的结果可能是正确的。

检测命令如下:
kscan.exe -t 192.168.86.128 -p 27017 -oJ mongodb.json

实际弱口令为:
admin/123456
@lcvvvv
Copy link
Owner

lcvvvv commented Jan 5, 2023

是不是没识别出协议,扫描结果截图看看

@andrewgogogo
Copy link
Author

mongo
协议看图是能识别出来的。就是感觉MongoDB指纹扫描的时候Response有很大程度是返回的HTTP请求的内容。

@andrewgogogo
Copy link
Author

Response指纹识别遇到两种情况:
情况一(HTTP请求返回的内容):
"Response": "HTTP/1.0 200 OK\r\nConnection: close\r\nContent-Type: text/plain\r\nContent-Length: 85\r\n\r\nIt looks like you are trying to access MongoDB over HTTP on the native driver port.\r\n",

情况二(根据mongodb协议探测返回的内容):
"Response": "Wx\u0000\u0000��\u0004\u0000:0\u0000\u...............................

@lcvvvv
Copy link
Owner

lcvvvv commented Jan 6, 2023

你要用--hydra参数,开启弱口令检测功能

@andrewgogogo
Copy link
Author

不好意思,截图截错了,加上--hydra参数也扫描不出来:
mongo2

查看源码(最新1.85版本源码压缩包)(mongodb.go)文件,发现连接数据库好像加上了“ichunt”,把它去掉,重新打包编译即可扫描出来mongodb弱口令:
修改前:
dataSourceName := fmt.Sprintf("mongodb://%v:%v@%v:%v/ichunt?authMechanism=SCRAM-SHA-1", Username, Password, Host, Port)

修改后:
dataSourceName := fmt.Sprintf("mongodb://%v:%v@%v:%v/?authMechanism=SCRAM-SHA-1", Username, Password, Host, Port)

@andrewgogogo
Copy link
Author

另外就是MongoDB扫描的时候,Response字段的内容会有差异,大概率都是返回情况一,不知道这里是什么原因,可否优化为第二种情况,或者两者都保留?

Response指纹识别遇到两种情况:
情况一:
"Response": "HTTP/1.0 200 OK\r\nConnection: close\r\nContent-Type: text/plain\r\nContent-Length: 85\r\n\r\nIt looks like you are trying to access MongoDB over HTTP on the native driver port.\r\n",

情况二:
"Response": "Wx\u0000\u0000��\u0004\u0000:0\u0000\u...............................

@lcvvvv
Copy link
Owner

lcvvvv commented Jan 9, 2023

ichunt

感谢提交Bug,将更新到新版本

@lcvvvv
Copy link
Owner

lcvvvv commented Jan 9, 2023

另外就是MongoDB扫描的时候,Response字段的内容会有差异,大概率都是返回情况一,不知道这里是什么原因,可否优化为第二种情况,或者两者都保留?

这个是服务器端根据不同的探针请求反馈的不同返回包,因为探针优先级的缘故,会优先使用HTTP请求,但是这不影响指纹识别结果和爆破

@lcvvvv lcvvvv added the bug Something isn't working label Jan 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lcvvvv @andrewgogogo