NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases and web applications using NoSQL in order to disclose or clone data from the database.
A NoSQL (originally referring to “non SQL”, “non relational” or “not only SQL”) database provides a mechanism for storage and retrieval of data which is modeled in means other than the tabular relations used in relational databases.
Such databases have existed since the late 1960s, but did not obtain the “NoSQL” moniker until a surge of popularity in the early twenty-first century, triggered by the needs of Web 2.0 companies such as Facebook, Google, and Amazon.com.
NoSQL databases are increasingly used in big data and real-time web applications. NoSQL systems are also sometimes called “Not only SQL” to emphasise that they may support SQL-like query languages.
Also Read – DrMITM : A Program Designed To Globally Log All Traffic Of A Website
DBMS Support
Presently the tool’s exploits are focused around MongoDB, and CouchDB but additional support for other NoSQL based platforms such as Redis, and Cassandra are planned in future releases.
On a Debian or Red Hat based system, the setup.sh script may be run as root to automate the installation of NoSQLMap’s dependencies.
Varies based on features used:
There are some various other libraries required that a normal Python installation should have readily available. Your milage may vary, check the script.
python setup.py install
Alternatively you can build a Docker image by changing to the docker directory and entering:
docker build -t nosqlmap .
Start with
python NoSQLMap
NoSQLMap uses a menu based system for building attacks. Upon starting NoSQLMap you are presented with with the main menu:
Explanation of options:
Once options are set head back to the main menu and select DB access attacks or web app attacks as appropriate for whether you are attacking a NoSQL management port or web application.
The rest of the tool is “wizard” based and fairly self explanatory, but send emails to codingo@protonmail.com or find me on Twitter @codingo_ if you have any questions or suggestions.
Video Tutorial
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…