How to hack millions of MongoDB server, the LAZY way!

Hey plebs, do you often wonder if there was a tool which you can just run and leave for few minutes ( or months? ) which just spits out the IP address of vulnerable servers? :D , yeah me too!

So I built this tool MongoBuster to do the hard work for you.

1) Get MongoBuster
2) Run it
3) Get vuln IPs
4) ???
5) Profit!!

So here is how you get those sweet mongo instances -

# Make sure you have go language installed in your system before continuing.

git clone https://github.com/yashpl/mongoBuster.git

cd mongoBuster

go build mongobuster.go utils.go

sudo ./mongobuster
Note: Run it with sudo as Masscan requires sudo access.
Now lets fire mongoBuster and see how it works.

After firing the tool, within few minutes we get a vulnerable IP. The tool also gives you name of all the databases it found on that IP so you can decide which ones are worth it based on their name.
To further test this IP, we will use a GUI tool for managing MondoDB instances called robo3t, you can download this tool here. Make sure you download Robo 3T , not Studio 3T.

Lets launch robo3t - 

Click on "Create", this will open a new window, fill in details like IP address and name of the connection and click on save.

Now click on "connect", to connect to saved connection , Duh!

Finally, we can see the list of all DBs on this server, from here you can either dump all data, edit/delete it or try to responsibly disclose it to rightful owners, I will suggest doing latter :)