Re: Bug in mongodb.lua (with patch)

[Daniel Miller <bonsaiviking () gmail com>]

Nathan,

I really appreciate what you've done with this extension to mongodb.lua. I
apologize that it has taken so long to get around to reviewing it! With
that said, I had a couple comments:

First, it would probably be better to *always* return a table of documents
as a result, even if only one was returned. This way scripts can use the
same logic (loop over table of result documents) no matter how many
documents were returned. This *would* require changing the existing
scripts, but I can handle that myself if you provide the change to the
library.

Second, I would like to see this submitted along with your script for
enumerating databases. Otherwise it just becomes a complication of the
existing library without benefit to the end user. We want to make script
submission as easy and fun as possible, so if you have any questions, feel
free to mail this list or stop by #nmap on Freenode IRC. If you prefer to
use Github, we now accept Pull Requests: https://github.com/nmap/nmap

Dan

(Link to SecLists archive of previous message:
http://seclists.org/nmap-dev/2015/q3/152)

On Sat, Jul 25, 2015 at 2:25 PM, Nathan Martini <akusei.x () gmail com> wrote:

> To whom it may concern:
>
> I was making a script to enumerate all databases and their collections
> with nmap since there was no supplied script to do that. There is one to
> list databases but it stops there. In writing this script I found a bug
> in the "query" method of the provided mongodb.lua script.
>
> The method works perfectly for queries that return back exactly 1
> document, but there are situations where a query would return back more
> than 1. For example, the "<db>.system.namespaces" query will return back
> 1 document for each collection found. I can work around this by
> utilizing the skip and number of documents to return properties but that
> would mean that for a database that has, say 100 collections, I would
> need to make a separate query for each collection and make 100 round
> trips to the database. Normally, I could just do 1 round trip and get
> all results.
>
> My lua skills are lacking so please forgive my code if it's less than
> elegant, but I've provided the patch file for your review.
>
> Basically all it does it checks the number of returned documents and if
> it's <= 0 the normal method of parsing is used, otherwise I look over
> all the data and parse each document until there isn't anything left to
> parse.
>
> I've also attached a (horrible) script (do not distribute the test
> script) to illustrate the problem. Simply run the script against a
> mongodb with multiple collections in a given database. Run it without
> the patch and with the patch, you'll see the issue.
>
> EXAMPLE OUTPUT FROM TESTS:
> (database and collection names have been changed)
>
> WITHOUT PATCH:
> nmap -sT -Pn -n --open -p 27017 -d --script mongodb_test <ip>
> NSE: name: cookies.system.indexes
> NSE: name: local.startup_log
> NSE: options:
> NSE:   size: 10485760
> NSE:   capped: true
> NSE: name: admin.system.version
>
> WITH PATCH:
> nmap -sT -Pn -n --open -p 27017 -d --script mongodb_test <ip>
> NSE: 1:
> NSE:   name: admin.system.version
> NSE: 2:
> NSE:   name: admin.system.indexes
> NSE: 3:
> NSE:   name: admin.system.version.$_id_
> NSE: 4:
> NSE:   name: admin.system.users
> NSE: 5:
> NSE:   name: admin.system.users.$_id_
> NSE: 6:
> NSE:   name: admin.system.users.$user_1_db_1
> NSE: 1:
> NSE:   options:
> NSE:     capped: true
> NSE:     size: 10485760
> NSE:   name: local.startup_log
> NSE: 2:
> NSE:   name: local.system.indexes
> NSE: 3:
> NSE:   name: local.startup_log.$_id_
> NSE: 1:
> NSE:   name: cookies.system.indexes
> NSE: 2:
> NSE:   name: cookies.Visit_logger
> NSE: 3:
> NSE:   name: cookies.Visit_logger.$_id_
> NSE: 4:
> NSE:   name: cookies.Cookie_logger
> NSE: 5:
> NSE:   name: cookies.Cookie_logger.$_id_
>
> Notice that without the patch, only 1 collection from each database is
> returned. With the patch, all collections, including indexes are returned.
>
> Please don't hesitate to contact me if you have any questions, or even
> to tell me that what I've done is crap; all feedback is good.
>
> Best regards,
> Nathan Martini
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/