MongoDB Authentication Disabled

漏洞信息

漏洞名称： MongoDB Authentication Disabled

漏洞类型： 未授权访问

漏洞等级： 高危

漏洞描述： MongoDB是一个广泛使用的开源NoSQL数据库，以其高性能、高可用性和易扩展性而闻名，常用于大型网站、移动应用和企业级数据存储。该漏洞涉及MongoDB的认证机制未启用或配置不当，具体表现为在mongod.conf配置文件中缺少’authorization: enabled’这一安全配置项。这种配置错误会导致数据库服务在启动时不强制执行身份验证，从而允许未经授权的用户直接访问数据库。漏洞的技术根源在于系统管理员或部署脚本未能正确配置MongoDB的安全选项，或者在升级或迁移过程中忽略了安全配置的检查和更新。此漏洞的高危性在于，攻击者可以利用这一配置缺陷，无需任何认证即可连接到MongoDB实例，执行任意数据库操作，包括数据泄露、篡改或删除，甚至可能导致整个数据库服务被接管。由于MongoDB的广泛应用，此类配置问题可能影响到大量企业和在线服务，尤其是在默认安装或自动化部署场景下更为常见。

产品厂商： MongoDB

产品名称： MongoDB

来源： https://github.com/projectdiscovery/nuclei-templates/blob/804d1df949d5fbbfdee11564a2df65b6836a8d60/javascript%2Faudit%2Fmongodb%2Fmongodb-auth-disabled.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: mongodb-auth-disabled

info:
  name: MongoDB Authentication Disabled
  author: pussycat0x
  severity: high
  description: |
    Detects if MongoDB authentication is disabled or missing in mongod.conf.
    If 'authorization: enabled' is missing under 'security:', authentication is not enforced.
  reference:
    - https://wiki.devsecopsguides.com/docs/checklists/mongodb/
  metadata:
    verified: true
  tags: mongodb,audit,ssh,auth,hardening

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      var m = require("nuclei/ssh");
      var c = m.SSHClient();
      c.Connect(Host,Port,User,Pass);
      const MongoConfig = c.Run(Code)
      MongoConfig
      let result = "";
      if (MongoConfig.includes("storage") && MongoConfig.includes("operationProfiling") && MongoConfig.includes("#security") && !MongoConfig.includes("authorization: enabled")) {
      result += "MongoDB Auth Disabled";
      } else {
      exit();
      }
      result

    args:
      Host: "{{Host}}"
      Port: "22"
      User: "{{usernames}}"
      Pass: "{{passwords}}"
      Code: cat {{path}}

    payloads:
      path:
        - /etc/mongod.conf
        - /usr/local/etc/mongod.conf
        - /opt/homebrew/etc/mongod.conf

    matchers:
      - type: dsl
        dsl:
          - "success == true"

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a004730450221008185a9e90eb7e1e9bbd42dfef4078aced5cf8967e0312817328688982f9ff527022051079da7a4bc86a726de720394ee9c99a717b3f3f4efb9bd654832217b5a963e:922c64590222798bb761d5b6d8e72950