2014-12-21 23:55:56

Mongodb未授权访问

Mongodb默认不需要配置auth导致未授权访问问题令人堪忧。

前年的时候写了个Mongodb未授权扫描工具发现了一些企业Mongodb未授权访问问题(测试发现包括一些游戏厂商),但在数量上还不太严重。

近期Mongodb问题越演越烈,上周对10812个国内IP进行探测时候发现了接近4000个未授权访问IP。

1

漏洞验证方法:

利用mongo-java-driver-2.12.4.jar

MongoClient client = new MongoClient(host,port);
或:
private boolean loginTest(String host,int timeout){ 
    try { 
      byte[] b = new byte[]{0x3f,0x00,0x00,0x00,(byte) 0x97,0x75,(byte) 0xbc,0x60,(byte) 0xff,(byte) 0xff,(byte) 0xff,(byte) 0xff,(byte) 0xd4,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x61,0x64,0x6d,0x69,0x6e,0x2e,0x24,0x63,0x6d,0x64,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x10,0x6c,0x69,0x73,0x74,0x44,0x61,0x74,0x61,0x62,0x61,0x73,0x65,0x73,0x00,0x01,0x00,0x00,0x00,0x00}; 
      InetSocketAddress address = new InetSocketAddress(host,27017); 
      Socket socket = new Socket(); 
      socket.connect(address,timeout); 
      socket.setSoTimeout(timeout); 
      OutputStream out = socket.getOutputStream(); 
      out.write(b); 
      socket.shutdownOutput(); 
      BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream())); 
      String str = ""; 
      StringBuilder sb = new StringBuilder(); 
      while((str=br.readLine())!=null){ 
        sb.append(str); 
      } 
      return sb.toString().contains("local"); 
    } catch (Exception e) { 
      return false; 
    } 
  }

这里似乎有一份邪红色团队的“全球Mongodb未授权访问探测报告"同样说明了问题的严重性:

Mongodb unauthorized access vulnerability global probing report

[+] Author: f1,2,4 
[+] Team: FF0000 TEAM <http://www.ff0000.cc> 
[+] From: HackerSoul <http://www.hackersoul.com> 
[+] Create: 2014-12-10 
Introduction 
Domain list 
Proof of Concept 
Scan results 
IP location 
Evil hackers
发表回复