MapNoSQL
by Saiprasad16
NoSQLMap is an automated Python tool for auditing and exploiting injection vulnerabilities and default configuration weaknesses in NoSQL databases and web applications.
Automated NoSQL database enumeration and web application exploitation tool.
Primary Use Case
Security professionals and penetration testers use NoSQLMap to identify and exploit security flaws in NoSQL databases like MongoDB and CouchDB, helping to disclose or clone sensitive data. It is particularly useful for testing web applications that rely on NoSQL backends to ensure their configurations and query handling are secure.
- Automates injection attacks on NoSQL databases
- Exploits default configuration weaknesses in NoSQL setups
- Supports MongoDB and CouchDB with plans for Redis and Cassandra
- Menu-driven CLI interface for ease of use
- Ability to clone victim databases locally
- Integration with Metasploit Framework for shell access
- Supports parsing and importing Burp Suite requests
- Docker and Docker-compose support for easy deployment
Installation
- Run setup.sh script as root on Debian or Red Hat systems to install dependencies
- Install Python dependencies including PyMongo, httplib2, and urllib
- Ensure Metasploit Framework is installed if using exploitation features
- Install a local MongoDB instance for cloning databases
- Run 'python setup.py install' to install NoSQLMap
- Alternatively, build Docker image by navigating to the docker directory and running 'docker build -t nosqlmap .'
- Use Docker-compose with 'docker-compose build' and 'docker-compose run nosqlmap' to run the tool
Usage
>_ python NoSQLMapStarts the NoSQLMap tool and presents the main menu for interaction
>_ 1-Set optionsConfigure target host/IP, web app port, URI path, HTTP method, local MongoDB IP, shell listener port, and load/save options
>_ 2-NoSQL DB Access AttacksLaunch attacks targeting NoSQL database access vulnerabilities
>_ 3-NoSQL Web App attacksPerform injection and exploitation attacks against web applications using NoSQL databases
>_ 4-Scan for Anonymous MongoDB AccessScan target servers for unsecured MongoDB instances allowing anonymous access
>_ 8-Load options from saved Burp requestImport HTTP request data saved from Burp Suite to populate attack parameters
- Can be chained with Metasploit Framework for automated exploitation and post-exploitation activities.
- Integrate into CI/CD pipelines for automated NoSQL injection vulnerability scanning during development.
- Use Docker deployment to enable rapid testing and reduce environment setup overhead.
- Leverage Burp Suite request import feature to replay and automate complex attack scenarios.
- Employ as part of purple team exercises to simulate realistic NoSQL injection attacks and improve detection capabilities.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about MapNoSQL. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
PayloadsAllTheThings
swisskyrepo/PayloadsAllTheThings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
hoppscotch
hoppscotch/hoppscotch
Open source API development ecosystem - https://hoppscotch.io (open-source alternative to Postman, Insomnia)
ImHex
WerWolv/ImHex
🔍 A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
termux-app
termux/termux-app
Termux - a terminal emulator application for Android OS extendible by variety of packages.
sentry
getsentry/sentry
Developer-first error tracking and performance monitoring
CheatSheetSeries
OWASP/CheatSheetSeries
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.