Bug in mongodb.lua (with patch)

[Nathan Martini <akusei.x () gmail com>]

To whom it may concern:

I was making a script to enumerate all databases and their collections
with nmap since there was no supplied script to do that. There is one to
list databases but it stops there. In writing this script I found a bug
in the "query" method of the provided mongodb.lua script.

The method works perfectly for queries that return back exactly 1
document, but there are situations where a query would return back more
than 1. For example, the "<db>.system.namespaces" query will return back
1 document for each collection found. I can work around this by
utilizing the skip and number of documents to return properties but that
would mean that for a database that has, say 100 collections, I would
need to make a separate query for each collection and make 100 round
trips to the database. Normally, I could just do 1 round trip and get
all results.

My lua skills are lacking so please forgive my code if it's less than
elegant, but I've provided the patch file for your review.

Basically all it does it checks the number of returned documents and if
it's <= 0 the normal method of parsing is used, otherwise I look over
all the data and parse each document until there isn't anything left to
parse.

I've also attached a (horrible) script (do not distribute the test
script) to illustrate the problem. Simply run the script against a
mongodb with multiple collections in a given database. Run it without
the patch and with the patch, you'll see the issue.

EXAMPLE OUTPUT FROM TESTS:
(database and collection names have been changed)

WITHOUT PATCH:
nmap -sT -Pn -n --open -p 27017 -d --script mongodb_test <ip>
NSE: name: cookies.system.indexes
NSE: name: local.startup_log
NSE: options:
NSE:   size: 10485760
NSE:   capped: true
NSE: name: admin.system.version

WITH PATCH:
nmap -sT -Pn -n --open -p 27017 -d --script mongodb_test <ip>
NSE: 1:
NSE:   name: admin.system.version
NSE: 2:
NSE:   name: admin.system.indexes
NSE: 3:
NSE:   name: admin.system.version.$_id_
NSE: 4:
NSE:   name: admin.system.users
NSE: 5:
NSE:   name: admin.system.users.$_id_
NSE: 6:
NSE:   name: admin.system.users.$user_1_db_1
NSE: 1:
NSE:   options:
NSE:     capped: true
NSE:     size: 10485760
NSE:   name: local.startup_log
NSE: 2:
NSE:   name: local.system.indexes
NSE: 3:
NSE:   name: local.startup_log.$_id_
NSE: 1:
NSE:   name: cookies.system.indexes
NSE: 2:
NSE:   name: cookies.Visit_logger
NSE: 3:
NSE:   name: cookies.Visit_logger.$_id_
NSE: 4:
NSE:   name: cookies.Cookie_logger
NSE: 5:
NSE:   name: cookies.Cookie_logger.$_id_

Notice that without the patch, only 1 collection from each database is
returned. With the patch, all collections, including indexes are returned.

Please don't hesitate to contact me if you have any questions, or even
to tell me that what I've done is crap; all feedback is good.

Best regards,
Nathan Martini

Attachment: mongodb.patch
Description:

Attachment: mongo_test.nse
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/