Nmap Development mailing list archives
Re: Bug in mongodb.lua (with patch)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 14 Jan 2016 09:07:00 -0600
Nathan, I really appreciate what you've done with this extension to mongodb.lua. I apologize that it has taken so long to get around to reviewing it! With that said, I had a couple comments: First, it would probably be better to *always* return a table of documents as a result, even if only one was returned. This way scripts can use the same logic (loop over table of result documents) no matter how many documents were returned. This *would* require changing the existing scripts, but I can handle that myself if you provide the change to the library. Second, I would like to see this submitted along with your script for enumerating databases. Otherwise it just becomes a complication of the existing library without benefit to the end user. We want to make script submission as easy and fun as possible, so if you have any questions, feel free to mail this list or stop by #nmap on Freenode IRC. If you prefer to use Github, we now accept Pull Requests: https://github.com/nmap/nmap Dan (Link to SecLists archive of previous message: http://seclists.org/nmap-dev/2015/q3/152) On Sat, Jul 25, 2015 at 2:25 PM, Nathan Martini <akusei.x () gmail com> wrote:
To whom it may concern: I was making a script to enumerate all databases and their collections with nmap since there was no supplied script to do that. There is one to list databases but it stops there. In writing this script I found a bug in the "query" method of the provided mongodb.lua script. The method works perfectly for queries that return back exactly 1 document, but there are situations where a query would return back more than 1. For example, the "<db>.system.namespaces" query will return back 1 document for each collection found. I can work around this by utilizing the skip and number of documents to return properties but that would mean that for a database that has, say 100 collections, I would need to make a separate query for each collection and make 100 round trips to the database. Normally, I could just do 1 round trip and get all results. My lua skills are lacking so please forgive my code if it's less than elegant, but I've provided the patch file for your review. Basically all it does it checks the number of returned documents and if it's <= 0 the normal method of parsing is used, otherwise I look over all the data and parse each document until there isn't anything left to parse. I've also attached a (horrible) script (do not distribute the test script) to illustrate the problem. Simply run the script against a mongodb with multiple collections in a given database. Run it without the patch and with the patch, you'll see the issue. EXAMPLE OUTPUT FROM TESTS: (database and collection names have been changed) WITHOUT PATCH: nmap -sT -Pn -n --open -p 27017 -d --script mongodb_test <ip> NSE: name: cookies.system.indexes NSE: name: local.startup_log NSE: options: NSE: size: 10485760 NSE: capped: true NSE: name: admin.system.version WITH PATCH: nmap -sT -Pn -n --open -p 27017 -d --script mongodb_test <ip> NSE: 1: NSE: name: admin.system.version NSE: 2: NSE: name: admin.system.indexes NSE: 3: NSE: name: admin.system.version.$_id_ NSE: 4: NSE: name: admin.system.users NSE: 5: NSE: name: admin.system.users.$_id_ NSE: 6: NSE: name: admin.system.users.$user_1_db_1 NSE: 1: NSE: options: NSE: capped: true NSE: size: 10485760 NSE: name: local.startup_log NSE: 2: NSE: name: local.system.indexes NSE: 3: NSE: name: local.startup_log.$_id_ NSE: 1: NSE: name: cookies.system.indexes NSE: 2: NSE: name: cookies.Visit_logger NSE: 3: NSE: name: cookies.Visit_logger.$_id_ NSE: 4: NSE: name: cookies.Cookie_logger NSE: 5: NSE: name: cookies.Cookie_logger.$_id_ Notice that without the patch, only 1 collection from each database is returned. With the patch, all collections, including indexes are returned. Please don't hesitate to contact me if you have any questions, or even to tell me that what I've done is crap; all feedback is good. Best regards, Nathan Martini _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Bug in mongodb.lua (with patch) Daniel Miller (Jan 14)