NoSQLMap is an open source Python tool designed to audit for as well as automate Injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database.
It is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular Sql Injection tool sqlmap, and its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, "Abusing NoSQL Databases".
Requirements:
On a Debian or Red Hat based system, the setup.sh script may be run as root to automate the installation of NoSQLMap's dependencies.
Varies based on features used:
- Metasploit Framework
- Python with PyMongo
- httplib2
- urllib
- A local, default MongoDB instance for cloning databases
Features:
- Automated MongoDB database enumeration and cloning attacks.
- PHP application parameter injection attacks against MongoClient to return all database records.
- Javascript function variable escaping and arbitrary code injection to return all database records.
- Timing based attacks similar to blind SQL injection to validate Javascript injection vulnerabilities with no feedback from the application.
You might also like:
- WebSurgery - Web Application Security Testing Suite
- Beleth - Multi-threaded SSH Password Auditor
- pyClamd - Using Clamav with Python
- FuzzDB - Comprehensive Set Of Known Attack Sequences
- SecLists - The Pentesters Companion
- Cansina - Web Content Discovery Tool
- GoatDroid - Self-Contained Android Pentesting Environment
- Ghiro - Automated Digital Image Forensics Tool
- Mellivora - A CTF (Capture The Flag) Engine
- Lynis - Security Auditing Tool For Unix/Linux Systems
- FoxOne - Server Reconnaissance Scanner
- Umap - The USB Host Security Assessment Tool
- FS-NyarL - Network Takeover & Forensic Analysis Tool
- aidSQL - SQL Injection Detection Tool
- LANs.py - Tool For Injecting codes, Jamming WiFi, & Spying on WiFi Users
This post first appeared on Effect Hacking - Hacking Tools, How To Guides An, please read the originial post: here
